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Editor’s Comments 


Welcome to volume 12, issue 2 of the Journal of Physical Security (JPS). In addition to the 
usual editor’s rants and news about security that appear immediately below, this issue has 
papers about security by design, defeating electronic locks with radiofrequency attack 
tools, poor seal practice with pressure-sensitive adhesive label seals, wargaming Brexit, 
and a revised and updated list of my popular (mostly smart ass) security maxims. 


The fourth paper on wargaming Brexit may seem a bit far afield from physical security, 
but I think readers will find the discussion about how to wargame to be quite relevant for 
analyzing your organization’s security/vulnerabilities, and for contingency planning. 


All papers are anonymously peer reviewed unless otherwise noted. We are very grateful 
indeed to the reviewers who contribute their time and expertise to advance our under- 
standing of security without receiving recognition or compensation. This is the true sign of 
a professional! 


Past issues of JPS are available at http://jps.rbsekurity.com, and you can also sign up 
there to be notified by email when a new issue becomes available. A cumulative table of 
contents for the years 2004 through March 2019 is available at http://rbsekurity.com/JPS 
Archives/grand jps_ TOC.pdf 


JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS is a small 
company devoted to physical security consulting, vulnerability assessments, and R&D. 


(http://rbsekurity.com) 


As usual, the views expressed in these papers and the editor’s comments are those of the 
author(s) and should not necessarily be ascribed to their home institution(s) or to Right 
Brain Sekurity. 


KK KKK 


Bad Nomenclature I: Run for Cancer 
Is it just me, or is it a bit disconcerting how many people in corporate America suddenly 
have the title of “Director of Insider Threat”? Seems to me we ought to be working against 


the insider threat. Perhaps the title should be “Director of Insider Threat Mitigation”. 


Actually—the silly job title aside—this is a healthy sign. More focus on the insider threat 
has long been needed. Now if only government would wake up as well. 


RK KKK 


Bad Nomenclature II: A Rose by Any Other Name 
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There seems to be a slowly increasing trend of companies naming themselves so as to 
(arguably) appear to be non-profits, research centers, security “institutes”, or universities. 
In my view, this is misleading, disingenuous, and kind of sleazy. At the very least, it is 
unhelpful for an industry like security that is already plagued by hype, snake oil, confusion, 
and wishful thinking. 


The following is a web page and video from such a company, which nevertheless contain 
sound security advice despite the company’s reprehensible name: 
https://www.securityexecutivecouncil.com/spotlight/?sid=3 1686 


KK KKK 


Ghost Police Cars 


Police departments are increasingly using “ghost” or “stealth” police cars to catch 
speeders. Such cars often have reflective markings that cannot be easily seen in daylight 
and/or at certain angles, though there are also versions with non-reflective hard-to-see 
graphics. Ghost police cars usually also have no light rack on the top of the car to avoid 
looking like a regular patrol car. Instead, flashing lights are embedded in the body of the 


car and/or inside the windshield. See https://www.dailymail.co.uk/news /article- 
feel ach Ue eens North-Carolina-cop-cars- S-pull- drivers. html and 


Counterfeit Cars 


Michael Kaplan had an interesting article in the New York Post about the epidemic of 
counterfeit classic cars meant to scam collectors. See 
https://nypost.com/2019/03 /02/how-counterfeit-car-makers-are-scamming-enthusiasts 


KK KKK 


Counterfeit Fish 


National Geographic had a good article on seafood fraud: 
https: //www.nationalgeographic.com/environment/2019/03 /study-finds-seafood- 


mislabeled-illegal/ 
2K OK KKK 
Counterfeit Rocket Parts 


A metal manufacturer allegedly faked test results on materials used in NASA rockets that 


caused 2 launches to fail, wasting $700 million: https://www.latimes.com/business/la-fi- 
nasa-metals-fraud-20190501-story.html 


RK KK 
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Counterfeit GPS Signals 


Russia’s extensive use of GPS spoofing is discussed in this article: 
https://www.bbc.com/news/technology-47786248 


KK KKK 


More Russian Sleaze 


Thousands of fraudulent votes were cast in favor of a millionaire’s young daughter, 
rigging the winner of the popular Russian TV show “The Voice Kids”: 
https://www.bbc.com/news/world-europe-48293196 


RK KKK 


And Yet More Russian Sleaze 


Zvezda, the TV channel of the Russian Defense Ministry, was widely ridiculed for its 
interview with opera diva Elena Obraztsova about journalist Sergei Dorenko, supposedly at 
his funeral. Ms. Obraztsova had died herself in 2015. Dorenko had been a harsh critic of 
Putin since 2000. 


For more information, see https://www.independent.co.uk/arts- 


entertainment/music/news /russian-tv-zvezda-elena-obraztsova-death-interview- 


moscow-dead-a8912896.html 


KK KKK 


More Scoundrels 


In theory, the Human Resources (HR) Department can be one of the most powerful tools 
for security. In many organizations, however, HR often works to make security worse 
through incompetent hiring, rampant charlatanism, mistreating employees, condoning 
bullying and harassment, and failing to mitigate insider threats. As secret police, judge, 
jury, and executioner, HR too often takes mildly disgruntled employees, and turns them 
into vehemently disgruntled employees, risking retaliation against the organization, harm 
to its reputation, and damage to productivity. 


Jana Kasperkevic has an interesting article in Marketplace about HR trying to rebrand 
and repair its terrible (and, in my view, often well deserved) reputation. See 
https://www.marketplace.org/2019/07/17/reflecting-rebranding-but-can-hr-repair-its- 


reputation/ 


RK KKK 


lil 
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SIMply Lame 


This article in Wired magazine is disturbing: “The SIM Swap Fix that the US Isn’t Using”, 
https://www.wired.com/story/sim-swap-fix-carriers-banks 


KK KKK 


Candid Camera 


A few tips on how to spot hidden video cameras in your Airbnb: 
https://www.fastcompany.com/90331449 /how-to-find-hidden-cameras-in-your-airbnb- 


and-anywhere-else and https://www.cnbc.com/2019/06/28/how-to-find-cameras-in- 
your-airbnb-or-hotel-room.html 


KKK K 
Stealing from Art Museums 
Michael Finkel had an interesting article in GQ about Stéphane Breitwieser who robbed 


nearly 200 art museums: 
https: //www.gq.com/story/secrets-of-the-worlds-greatest-art-thief 


KK KKK 


Want Fries with That? 


Fast-food drive-throughs are increasingly targets of criminals: 
https://www.newsweek.com/fast-food-drive-thru-bank-arrest-felony-lane-sting-fbi- 


restaurants-security-1376132 


KK KKK 


What to Do if Your Purse or Wallet is Stolen 


See https: //www.thebalance.com/my-wallet-purse-was-stolen-now-what-1947532 
and https://www.chicagotribune.com/lifestyles /sc-fam-stolen-purse-0725-story.html 


RR KKK 


(Not So) Safe Deposit Boxes 


The July 19, 2019 edition of the New York Times has an excellent article about the 
problems with the 25 million safe deposit boxes in the United States. They aren’t 
necessarily all that secure. Moreover, there are no federal laws protecting consumers who 
use safe deposit boxes, and you may not be compensated if your property in them is 
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missing, stolen, or damaged. See https://www.bloomberg.com/opinion/articles/2019-07- 


22 /don-t-put-your-valuables-in-the-bank 


For a discussion of what NOT to store in a bank safe deposit box, see 
https://www.kiplinger.com/slideshow/saving/T005-S001-things-you-ll-regret-keeping- 


in-a-safe-deposit-box/index.html 


KK KKK 


Not So Smart Smart Locks 


See this web page for a brief but interesting discussion of lock vulnerabilities: 
https://www.pentestpartners.com/security-blog/smart-locks-dumb-securi 


RK KKK 


Looking into the Cameras (Literally) 


The US government’s new requirement that federal agencies no longer purchase video 
cameras made in China, and remove such cameras by August 2019 has created all kinds of 
problems. The task is nearly impossible. See 
https://securityelectronicsandnetworks.com/articles/2019/07/12/u-s-governments- 


chinese-camera-ban-creating-dogs-breakfast-in-cctv-market/ 


KK KKK 


Blue Light Special 


The emergency blue-light phones found on the campuses of many colleges and 
universities are no longer much used. Most students have mobile phones with them and 
use them instead to summon help in an emergency. The blue-light phones are also fairly 
expensive. Many colleges and universities, however, are keeping the blue-light phones, 
reasoning that they provide a sense of security, and demonstrate the institution’s 
commitment to safety and security. For more information, read this excellent article from 
the Chronicle of Higher Education: https://www.chronicle.com/article/Emergency-Blue- 
Light-Phones/245552 


RK KKK 


High Chairs Are Not for Adults 


If you are organizing a panel at a conference or a public presentation, skip the ridiculous, 
high-rise chairs for presenters. Such chairs are awkward and challenging for everybody, 


Vv 
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but especially for short women in heels and dresses or r skirts. See 


8456- 4631- abff-e43dd13f17d7 


KK KKK 


Physics Breakthrough 


Scientists have demonstrated a technique to keep light beams from diffusing when 
passing through inhomogeneous materials. This could have major implications for future 
security, e.g., being better able to see through walls. See 
https://www.scienceandtechnologyresearchnews.com/physics-researchers-discover-new- 


approach-to-control-the-spread-of-light/ 


RK KKK 


The (Mindless) Sound of Music 
The next time you are creatively thinking about your security and its vulnerabilities, keep 


in mind that new research suggests background music suppresses creativity. I, for one, 
cannot recall a single instance of creativity in an elevator when elevator music is playing. 


See https://onlinelibrary.wiley.com/doi/full/10.1002/acp.3532. 


On the other hand, check out this list of songs about imagination and creativity: 
https://www.playlistresearch.com/themes/misc/imagination.htm 


KK KKK 


“Something Insane in the Air’ or “Fly the Fiendly Skies” 


Check out the whacky things people have tried to bring on to airplanes: 
https://www.townsvillebulletin.com.au/travel/tsas-social-media-highlights-weird-stuff- 


in-travellers-bags /news-story/423e08e40ddc1bb9af08e94986733619 


RR KKK 


The Best and the Brightest 


A USS. Secret Service agent reportedly inserted a malicious thumb drive carried by a 
Chinese Mar-a-Lago intruder into his government computer shortly after it was 
confiscated: https: //www.newsweek.com/secret-service-chinese-mar-lago-thumb-drive-1389905 


KK KKK 


Vi 
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Boogeyman 


Check out this blog discussing stupid stock photos of hackers; these are used by cyber 


security companies to scare potential customers: https://teachprivacy.com/the-funniest- 
hacker-stock-photos-2-0/ 


KK KKK 


Stupid Is As Stupid Does 


A kaleidoscope of stupid security measures: https://www.youtube.com/watch?v=lsiYeum1430 


RK KKK 


-- Roger Johnston 
Oswego, Illinois 
August 2019 


Vil 
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Viewpoint Paper 


Security by Design 


L. Kent Howard, CISSP, CPP 


Introduction 


In 1951, Bell Labs engineers responsible for designing the U.S. telephone system were 
instructed to develop an entirely new system, without depending on any of the existing 
parts. The redesign the Bell engineers produced resulted in virtually every feature of the 
modern telephone — call forwarding, call waiting, three-way calling, caller ID, touchtone 
dialing, conference calling, speaker phones, voicemail, etc. 


In their book Idealized Design, authors Ackoff, Addison, and Magidson describe a 
methodology that effectively allows the practitioner to identify an ideal design for an 
organization, system, or process and then work backward to the current state in order to 
identify the pieces needed to make the design a reality. The problem the authors call out is 
that “We have been focusing on improving parts of the system rather than focusing on the 
system as a whole. As a result, we have been improving the parts but not the whole. We 
have got to restart by focusing on designing the whole and then designing the parts that fit 
it rather than vice versa.” [1] 


Dr. Ackoff was an outside participant in the telephone reengineering process at Bell Labs. 
He saw first-hand the power of starting with the whole and the remarkable impact that this 
approach has on innovation. 


My own experience with Ackoff, Addison, and Magidson’s methodology led me to ponder 
what Security as a whole might look like if we re-envisioned it through the lens, the 
precepts, and the principles of Idealized Design, and what kind of innovation this approach 
might unleash. 


There are far too many interpretations of the term security to proceed toward a holistic 
program design without some initial grounding to establish a common point of origin. The 
first step in this paper, then, is to provide a brief discussion on what security is, and the 
role that security practitioners play. A look at security culture is then critical, as this is the 
glue that will bond the organization to the common goal of security risk management. This 
will also give deeper meaning to the subsequent discussion of the design process, the 
integration of security risk owners, the various program elements that will make up a 
security program, and, finally, future-proofing the security program as part of the whole. 
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What is Security? 


A common misperception is that security is about a collection of things — anti-malware, 
data encryption, security cameras, locks on doors, etc. The presence of most any 
combination of these things can, too easily, result in the thought that the topic of security 
seems to have been addressed and, therefore, does not need much attention beyond that 
point. Additionally, the idea of just what security is varies widely, and people generally 
operate with the belief that security is the exclusive domain of the Security group, or a 
security provider that has been hired. 


The perspective that many people have of security is based on their observations or 
experiences. We have all seen security patrol vehicles, security guards, someone from 
“Security” holding a meeting to discuss data governance or conducting an Incident 
Response exercise, etc. You may have worked with Security to conduct an investigation 
into areported wrongdoing, or you may have seen Security performing crowd control 
activities during events, or walking through office areas after hours to do clean-desk 
checks. 


These glimpses into security have influenced our overall understanding and have left us 
with incomplete notions about security. This confusion comes from the thought processes 
that have been established through our observations and the expectations we have 
developed, over time, as to what security is. 


At the most fundamental level, security is a function of risk management that addresses 
security risk. The activities, tools, and processes that have become associated with security 
are actually just the means of mitigating security risks. 


Enterprise Security Risk Management 


Security risk exists in many different forms within any given organization. Examples 
include the risk of financial loss due to employee theft, the risk of organizational reputation 
being impacted by a cyber attack, or the risk to human life and wellbeing that workplace 
violence represents. 


Enterprise Security Risk Management: Concepts and Applications authors Allen, and 
Loyear define Enterprise Security Risk Management (ESRM) as “the application of 


fundamental risk principles to manage all security risks — whether related to information, 
cyber, physical security, asset management, or business continuity — in a comprehensive, 
holistic, all-encompassing approach.”[2] ESRM is a model that integrates management of 
security risk throughout the entire organization from the board to the executive suite, and 
throughout the enterprise to wherever security risk exists. No level of management, 
business process owner, or other employee is immune to security risk. Therefore, security 
risk management does not belong to Security alone. Rather, security risk management 
belongs to everyone in the organization. 
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Viewed through the lens of ESRM, the role that Security plays is to work as subject- 
matter experts to enable the enterprise to manage security risk. 


Security Culture 


ESRM dictates that Leadership has a fundamental and ongoing responsibility to establish 
and maintain an appropriate security culture within the organization. While members of 
leadership cannot stand by to remind employees to think about security on a day-by-day 
basis, Leadership needs to demonstrate the importance of security, and the priority that is 
being placed on security at the topmost levels of the organization. Each employee must 
understand their part in managing security risk. Whether their responsibility is to simply 
complete prescribed security awareness training and education assignments, or to develop 
a deeper understanding of at-risk business processes within their respective operational 
areas, each employee needs to know their role in security risk management. 


The benefits of security risk management and its relationship to business success is also 
good for people to hear. This will ensure employees understand why they should care 
about managing security risk and will begin the process of developing a culture of security, 
along with the greater sense of individual responsibility for protecting their organization’s 
assets that accompanies such a culture. 


Thought challenge: Generational (Baby Boomer vs Generation X vs 
Millennial vs Generation Z) differences have organizations making changes 
to workplace environments, work-life balance practices, and employee 
benefits like maternity/paternity leave. The idea behind these changes is so 
their organizations stay attractive to younger members of the labor pool. 


The challenge for security leadership is to account for generational 
differences as security program design takes place, in order to keep people, 


process and technology associated with security current. GenZ employees 


may very well challenge why things like legacy access control badges 
haven't been replaced by digital certificates on mobile telephones. The 
perspective could easily be, “Why would I want to work in a backward (aka 
antiquated or old-fashioned) environment?” 
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Security by Design 


Improve. See figure 1. This reflects the nature of 
the global security threat landscape, which is 


Security is not a set-it-and-forget-it program, Plan 
but a lifecycle: Plan, Build, Monitor, Respond, and 

always changing and evolving. The optimal 

security program will take the fluidity of the 


threat landscape into account and will change as 

necessary. This requires an intentional design 

effort in which appropriate stakeholders come Respond Monitor 
together to develop the vision and goals of the 


security program. FIGURE 1 — Security Lifecycle 


A comprehensive security risk assessment is critical and must be completed prior to 
program design efforts. The results of the risk assessment will not be a direct recipe for the 
program, but they will help identify and locate security risks within the organization. 
(There is ongoing discussion in various security industry circles about the impact that 
traditional risk assessments can have on the organization’s culture of innovation. The 
imperative for the security design effort is to know where security risk exists without the 
assessment process itself dictating a solution.) 


Following the ESRM model, key stakeholders involved in managing security risk should 
be involved in the design of the security program. Thus, the design effort should engage 
not just security professionals but owners of business processes where security risk exists, 
like HR, Accounting, Finance, Supply Chain, and others. Even though many of the 
stakeholders involved in the design process will not report to Security, they should, 
nevertheless, be involved in the effort, because they own security risk(s) and bring deep 
knowledge of their facet of the business. 


The initial security design effort should center on defining the vision for the program. 
This is the single most important opportunity for innovation — creating the vision for the 
whole, without regard to any of the existing parts. The tendency will be for the security 
design team to include the collection of people, processes and technologies that are 
currently in place. Instead, the focus should be on developing the program vision and 
goals. The how — the tools, etc. — of the program will fall into place later. 


Examples of innovative design statements that might come out of an Idealized Design 
effort include: 


¢ The security program must enable the management of security risk across our 
organization. 


¢ We want to establish a security culture within our organization. 


* Our security program should be future-proof. 
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¢ The security program must pursue continuous improvement. 


¢ The security program should be transformational for our organization. 


Once the security design team has developed the basic goals and tenets of the program, 
each individual design statement can then be broken down into smaller components for 
further development. This is where the how begins to take form and questions associated 
with the people, processes, and technologies that will be needed can begin to be asked and 
answered. 


Existing program elements can be worked into the design, as appropriate. However, 
existing security features should not be included just because “that’s the way we’ve always 
done it.” Each element must be evaluated against the new vision and goals. Any program 
element that does not fit with the new vision should be removed. Similarly, if an existing 
element needs to be modernized, streamlined, or automated, then the changes should be 
completed before the element is incorporated into the new program design. 


The risk assessment results are critical at this point, and should be incorporated into the 
results from the high-level design effort. 


A suggested approach to translating design statements into program elements is to take 
each individual statement and determine what is needed in order to enact it. Here are just 
some of the possibilities: 


¢ Training for both Security and non-Security people. 
¢ Business process improvement projects. 
¢ Projects for new, updated, or reconfigured security and non-security technologies. 
* Development of collaborative internal and external relationships. 
* Development of security policy, standards, and procedures. 
The security design effort must be considered to be a project, and should be managed 


accordingly. Resource commitments, timelines, status reports, and other aspects of 
successful project management should be fully observed to ensure project success. 


Stakeholders — Security Risk Owners 


As emphasized earlier, people from functional groups that own security risk should be 
involved in the design of the security program. In all actuality, security risk owners from 
across the organization will be key partners with Security on an ongoing basis. The level of 
collaboration between Security and risk owners is vital, so these relationships need to be 
deep enough to allow for mutual sharing of the who/what/when/where/how/why of 
security risks and security risk management. This will give Security a better understanding 
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of how to enable security risk owners to manage their people, processes, and technologies 
most effectively. 


How are security risk owners identified? The primary means of identifying and 
documenting the owners of security risk is the formal risk assessment. One output ofa risk 
assessment will be a list of business processes in which security risk exists. This will help 
ensure that all stakeholder groups have been identified and, subsequently, will help ensure 
that all security risks have been documented. 


Who are the security risk owners? These groups will vary by organization, but the risk 
assessment process commonly includes Human Resources, Accounting, Finance, Supply 
Chain, Information Technology, Environmental Safety & Health, Enterprise Risk 
Management and, where applicable, Tours/Groups/Event Management, as well as both 
Cyber/Information Security and Physical Security. Additional groups may also be called 
out by the risk assessment. 


In addition to the security risks presented through various internal groups, the risk 
assessment process will help document where potential external risks exist through 
business partners, suppliers, and other groups with which their organization interacts. 
This may be risk that is present in system integrations (e.g., product ordering systems or 
technical support systems) or, processes in which work is executed externally, or 
numerous other ways. 


Relationships with external groups like law enforcement or regulatory agencies need to 
be pursued as a key component of the security risk management strategy. Though some 
external groups may not be identified in the results of the risk assessment, they should be 
included as stakeholders. 


Security risk owners may exist in any, or all of these internal, and external groups. Each 
becomes a critical touchpoint for Security. These are the people and teams that Security 
will enable through education, consultation, coaching, and mentoring to manage security 
risk. These stakeholders are essential to assist with the governance of the security 
program through their respective functions and will report the status of security risk at the 
enterprise level — keeping risk transparent and leadership informed. 


Program Elements 


Program elements will be identified during the program design effort as the 
requirements for individual program goals are defined. Security will take shape, and form 
through these initiatives. The elements built into a security program provide supporting 
structure for the program’s goals. The people, processes, and technologies represented in 
the list of program elements are where security work begins to get done. 


Following are descriptions of core program elements that might fit within a 
comprehensive security program design: 


4 
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Plan 
Program vision and strategy: 

Includes the initial design effort but also incorporates input from evolving 
organizational goals, continuous improvement processes, internal and external threat 
intelligence feeds, etc. This requires input from pertinent security risk management 
stakeholders as well as organizational leadership. 


Risk & vulnerability assessments: 

The process utilized to evaluate potential security risks and the similar evaluation of 
both logical (cyber, network, and systems) and physical (people, places, and things) 
vulnerabilities that may exist. Note: penetration test is the term that is used for a logical 
vulnerability assessment. 


Policy, standards, and procedures: 

The documentation of why (policy), what (standard), and how (procedure) security 
will be carried out within a particular program. These terms are frequently used 
interchangeably, but the distinctions are important in order to correctly authorize, 
describe, and proceduralize a security program. 


Build 
Security technology: 

A specific and pointed strategy for the determination and coordinated 
implementation of technologies associated with security. Technology is so important to 
a modern security strategy that a subsidiary program is frequently developed within 
the larger security program to adequately address the need. 


Security awareness education: 

The delivery of multi-faceted content to organizational employees and potentially 
business partners that helps develop knowledge of the role that each individual plays in 
security and what their response to risks/threats should be. 


Monitor 
Security Operations and Intelligence: 

The heart of security operations and monitoring for both internal and external 
threats, as well as the provider of initial incident response and critical communications. 


Asset and personnel protection: 
The people, processes, and technologies that specifically address the security of 
logical, physical, and intangible assets. 


Respond 
Incident Response: 


A planned and practiced process for responding to various security incident 
categories, whether logical or physical. 


° 
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Business Continuity Planning: 
A planned and practiced process that follows incident response and works to restore 
normal business operations. 


Crisis Management: 

A planned and practiced process that coordinates organizational communications to 
assure that executive leadership receives consolidated, consistent, and timely 
information during incident response and business continuity scenarios. 


Improve 
Capability Maturity Model: 

A Capability Maturity Model (CMM) describes an organization or program in 
comparison to a structured set of characteristics that define a scale which ranges from 
initial (immature) to optimized (mature).[4] See figure 2. The capabilities column will 
consist of elements from the respective security program (those indicated below are 
examples only). Each capability will move from one level to another as maturity 
improves. 


Characteristics Capabilities 


® Insider Threat Management 
® Business Continuity 
® State-of-Security Reporting 


Level1- © Some Awareness. 
Initial ® Considered, but not implemented. 


® Supply Chain Security 
® Planning & Strategy 
® Security Awareness & WPV Program 


Level2- © Some ad hoc implementation, but no 
Replicable strategy. 


fe ef ; = ‘put & Security Technology Strategy 
Level3- © Formal programs have been defined, but © Visitor Management 
® Crisis/Incident Management 


¥ 


Defined implementation is immature. 


FIGURE 2 - Capability Maturity Model 


Please note that there are likely differences in the list of security program elements 


across organizations because of the variation of risks being presented, organizational 
culture differences, disparity in jurisdictional requirements, etc. For example, not all 
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security programs have the requirement to provide executive protection services for their 
organizations. 


Security Budget 


A budget needs to be developed for implementation of the security design. The cost of 
each program element will need to be weighed against the set of risks that the element is 
designed to address. In some cases, the comparison will be obvious and the cost of the 
program element will be much less than the potential impact of the associated risk. In 
other cases, a program element may have to be delayed in order for higher priorities to be 
addressed first. This comparison process is a necessary component of security design and 
helps keep each risk visible. 


Future-proof 
How do | “future-proof” a security program? What does “future-proof” even mean? 


According to Wikipedia, future-proof refers to the ability of a product, program, business, 
or organization to continue to be valuable and pertinent over time.[3] 


A certain video rental business that lost out to emerging paradigms and ultimately 
became obsolete is an example of the failure to future-proof. A computer business that 
sells not just desktop and laptop computers but mobile devices, tablets, watches, music, 
movies, cloud services and more is an example of what future-proof might look like in the 
technology sector. 


In the context of a security program, a future-proof program design remains effective in 
the face of the ever-changing security threat landscape. This starts with the vision and 
goals of the security program and continues through the development of all elements that 
go into the program design. Constant change and future unknowns must be assumed on 
the part of the architects, in order for the people, processes, and technologies of the 
security program to have the capability to remain pertinent. 


This needs to be well planned, because future-proof does not happen by mistake. 
A number of critical approaches are central to making a security program future-proof: 


¢ Tie security goals to overall organizational goals and strategy 
Ideally, this is a restatement of one of the goals that came out of the security program 
design effort. This one facet — tying security goals to the goals of the larger 
organization — can significantly impact the effectiveness of a security program. 
Moreover, budget requests, performance outcomes (aka metrics), staffing requests, etc., 
are all easier conversations to have when risk-based security goals are tied to business 
goals. 
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Don’t focus on people, process, or technology during the initial program design 
effort. 

The focus of the security design effort should be on the program vision and goals with 
the results of the security risk assessment integrated into the mix. 


Incorporate recurring reviews of all program elements into the overall program 
design. 

A security program must pursue continuous improvement in order to stay current. 
While traditional metrics can be helpful, using a CMM (ref. figure 2) will help break 
down all areas of the program, including those that cannot be quantified. The model 
simply measures and reports the level of development of each program element. 


A defined and documented program review process based on CMM will provide 
opportunity for continuous improvement by identifying program elements that might 
need to be added, changed or retired. Too, a CMM report is graphical in nature and can 
be more easily digestible than pages of numeric metrics. 


Thought challenge: In the ongoing review of the goals of your security 
program, how might you study behaviors in order to understand whether 


the goals are being realized through people, process, and technology? This 


can help identify gaps in your security program that might need to be 
bridged. 


Be intentional with monitoring for new threats and new trends. 

New external threats emerge from numerous directions — geopolitical, social, 
economic, etc. Threats can also emerge from within the organization as employee 
turnover occurs, as profitability goes up and down, and as other influences on the 
organization come and go. This calls for both internal and external monitoring, and can 
include paid intelligence services, privilege utilization monitoring, insider threat 
management tools, and even business process design features that build in the right 
combination of checks and balances that can contribute to the management of security 
risk. 


Plan a robust education, training, and certification program for Security 
personnel. 

While Security Awareness education and training enables the general employee base 
to help manage security risk, the future-proof security program fully engages the 
security staff in an active and comprehensive education, training, and certification 
process. This should include general industry knowledge from the likes of the 
International Information System Security Certification Consortium (ISC), ASIS, ISACA 
and others, but should also include areas of specialization like executive protection, 
emergency response, intelligence, and data analytics. One of the best ways to help keep 
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a security program viable is to keep the employees that run the program current in 
their training and education. 


Include access to subject matter experts. 

There are areas within most any security program in which additional expertise will 
be needed in order to plan, build, implement, and effectively operate a security 
program. The organization must be willing to ask for help. 


For larger organizations that have staff dedicated to security, this may include 
occasional managerial consultation or a program check-up. For smaller organizations 
or others that are not fully staffed, outside help can be a very effective means of 
obtaining access to the subject matter expertise that is needed to help an organization 
manage security risk. 


Following are some important considerations regarding access to subject matter 
experts: 


¢ Consultants 
As security technology plays an ever increasing role, the expertise needed to 
design and execute an appropriate technology strategy may not be on staff. 
Consultants abound in the security technology space and can help with everything 
from simple project management of a security tool implementation effort all the way 
up to development of a full security technology program strategy. 


For smaller organizations that have not matured to the point of having a security 
staff, a virtual Chief Information Security Officer (CISO) or Chief Security Officer 
(CSO) can come in the form of a qualified consultant or “virtual” resource. The idea 
behind this is that a part-time CISO/CSO can help plan and develop an appropriate 
security program without the expense of having a full-time employee on staff. The 
virtual CISO/CSO is, seemingly, becoming more common as more consultancies are 
now offering this service. 


There are many other areas in which consultants can be used within security 
programs. These include, among others, the development of program standards or 
operational procedures, training, threats and intelligence services, strategy and 
planning, the development of services like crisis management or business 
continuity, etc. 


Snapshot — Regulatory requirements 

Financial services firms operating within the State of New York are now 
required to implement a cybersecurity program. One of the required program 
elements is access to a qualified security specialist, whether this person is an 


employee, or is a virtual (CISO/CSO) consultant resource. 
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¢ Areas of specialization 
Individuals or groups that possess a specific, experiential capability to help 
manage critical events are invaluable. An organization has one chance to do things 
right during and immediately after an event (eg. workplace violence). Inappropriate 
or out-of-touch responses can be damaging and have cost good organizations far 
more than monetary penalties associated with lawsuits, etc. Corporate reputations 
have been seriously affected by unfortunate responses to unfortunate events. 


¢ Outsourcing 
Without getting into a deeper conversation regarding outsourcing versus direct 
hire, there are occasions in which it can make sense for development of various 
elements of a security program to be provided by an external service provider 
managed by internal risk, resilience and security leadership. Contracts should 
include service level agreements that directly support the goals and mission of the 
security organization. 


One common consideration with outsourcing is almost always the simple cost of 
hiring and maintaining a staff for a given function. However, managing security risk 
should be the primary concern and must be weighed against the rote response to 
simply save money. 


Practice, Practice, Practice 


A well-loved mantra in the security industry is, “There’s no such thing as being 100% 
secure.” The follow-on to this phrase is, when events occur, there needs to be a well- 
conceived, well-designed, and well-practiced response mechanism in place. 


Just having documented incident response, business continuity, and crisis management 
plans is not enough. An intentionally designed security program incorporates periodic 
exercises to test, practice, and continuously improve these critical response capabilities. 
Recurring exercises also provide opportunities to involve security risk owners that need to 
have additional exposure to security risk management processes and procedures. 


Conclusion 

Security is about risk management. Incomplete security design results in incomplete 
management of security risk, which leaves organizations vulnerable. Focusing on 
individual program elements — whether people, process, or technology — is tantamount 
to incomplete security. 

Idealized Design requires that planning, strategy, and design start with the whole and not 


the individual elements of a program. A security program based on this design method will 
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achieve transformative business value throughout the security risk management lifecycle 
by: 


* ensuring an intentional and comprehensive strategy; 


¢ addressing appropriate security implementation through people, process, and 
technology; 


* involving security risk owners throughout the organization; and 


* preventing overhead associated with unnecessary, siloed, and out-of-focus program 
elements. 


At the organizational level, an idealized security design will result in a culture in which 
employees more thoroughly understand and embrace their part in reducing and managing 
security risk. Security risk owners will be enabled to keep risk transparent across the 
enterprise so leadership can maintain appropriate awareness. The board and executive 
leadership will better understand the role the security organization plays and, 
subsequently, will involve the security organization more proactively in strategic planning 
exercises. This translates to the security organization being in position to more effectively 
lead through subject matter expertise. In turn, this sets the stage for transformation that 
extends well beyond the security group and the things of security. 


References 


1) Ackoff, R. L., Addison, H. J., & Magidson, J. (2006). Idealized design: creating an 
Organizations future. Upper Saddle River, NJ: Wharton School. pp. xxxxvi 

2) Allen, B. J., Loyear, R., & Noakes-Fry, K. (2017). Enterprise Security Risk Management 
Concepts and Applications. Brooksfield: Rothstein Associates, Incorporated. pp. 4 

3) En.wikipedia.org. (2018). Future-proof. [online] Available at: 
https: //en.wikipedia.org/wiki/Future_proof [Accessed 6 Nov. 2018]. 

4) En.wikipedia.org. (2018). Capability Maturity Model. [online] Available at: 
https: //en.wikipedia.org/wiki/Capability_Maturity_Model [Accessed 21 Nov. 2018]. 


About the Author 
Kent Howard holds a Bachelor of Science Degree in Information Technology, as well as 


certifications in both Information Security (CISSP) and Physical Security (CPP). Kent has 
over 20 years of technology and security experience and is currently a security consultant. 


13 


Journal of Physical Security 12(2), 14-17 (2019) 


Hacking Electronic Door Locks 
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Abstract 


A video was published by a Chinese lock company revealing a means to hack electronic door 
locks.[1] The device they used became so popular that it was sold on Alibaba until the government 
banned the device. I will discuss the video disclosure and what it revealed. This video exposes a 
major technical flaw in modern electronic door locks. 


Introduction 


In Asia (unlike other parts of the world), a “Smart Lock” refers specifically to an electronic door 
lock that employs some elements of biometrics to operate. Simply counting the number of times 
a door opens and closes, for example, is not considered “smart” in Asia. The electronic door locks 
tested in the video clearly reflects this point of view. Only electronic locks using some form of 
biometrics were tested in the video. 


The most advanced Asian Smart Locks may require a finger print, a voice print, facial 
recognition, and a passcode. Some of them have a mechanical key lock, in case the electric lock 
fails. Some of the locks in the video only used biometrics. So, when that is defeated, the lock is 
wide open and has been hacked. 


The Video 


The video was filmed in a Chinese electronic lock factory, where there were many different 
brands and styles. They used a handheld device to defeat many of them. The handheld device 
with a spiral antenna, shown in figures | and 2, was developed by that company in China to defeat 
what they call “Smart Locks”.[1] The video clearly shows that the handheld device defeats many 
varieties and models of Smart Locks, but not all of them were tested in the video. The method of 
attack is shown in stills taken from the video, as shown in figure 1, with and a clear image of the 
actual device in figure 2.[1] The video shows many different styles of locks from a variety of 
manufacturers lined up on benches; all the locks were easily defeated in seconds using this device. 
The device was sold online and was so successful at breaking locks that it was banned by the 
Chinese government and is now illegal in China except for use by electronic lock companies as a 
tool for product testing. 


The handheld device in figure 1 has a transistor in a TO-220 case right at the base of the spiral 
antenna. When the button is pushed, a little blue light flashes as the device is swiped across the 
front of the lock. In all cases when the lock opens, it resets in a safe condition so that the lock can 
then opened by turning the handle. 
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Figure 2 shows a clear view of the device and its antenna. It looks like a transistor radio with a 
piece of hand-wound wire in the shape of a spiral coming out of the top and a momentary button 
switch on the side. There is no RF spectrum available for this apparatus shown and it would 
appear, from the video, that the operators do not really know the mechanism that makes this open 
or hack locks. From their perspective, it just seems to work. 


Figure 1: Smart Lock defeated by RF pulse generator. 


One sequence in the video shows the use of a walkie-talkie to open some locks. That sets the 
frequency range for interference on some of the locks that are susceptible to that kind of narrow 
band RF. Some of the wave forms that open some of the locks are shown on an oscilloscope. 
From my experience, this is not really how interference compatibility is handled in Western 
professional laboratories. The video offers no explanations of how anything works, only 
demonstrates that it does. 


Clearly, the successful device shown in figure 2 is using RF interference to cause the onboard 
MCU (microcontroller) chip in the electronic locks to reset. Typically, commercial electronic 
locking devices reset into the open or safe condition with electronic failure, in order to prevent 
obstruction, or require that the door be removed by its hinges or otherwise demolished in an 
emergency. All that is necessary to defeat or hack such electronic locks is to cause the MCU to 
reset due to RF interference or EMI (electromagnetic interference). 
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The device shown in figure 2 from the video is an electric arc generator. The company that 
made the first lock breaker says they used a Tesla coil, but then proceeded to specify a single 
frequency, which is inconsistent with any kind of electric arc or spark generator. Their video 
clearly reveals a flashing blue light when the lock breaker is active. This indicates a high voltage 
electric spark fed directly into the spiral antenna. 


Figure 2: RF pulse generator with antenna. 


Conclusion 


The Chinese produced a video filmed in one of their electronic lock companies that reveals a 
means to defeat what they call Smart Locks. The attack is executed with the casual swipe of a 
simple handheld electric arc generator. The video shows tables with rows of various brands, styles, 
makes, and models of electronic locks. These locks all use various forms of biometrics. 


The main feature of the video was the RF spiral antenna wand. None of the locks tested in the 
video were fried or latched up. From the Chinese perspective (at least in my experience), the 
statistics and data a Westerner wants to see are not relevant, so nothing like that was shown or 
presented in the video. What is relevant to them is that many different locks can be hacked using 
a simple spark gap in seconds, and that is exactly what is shown. The device was so successful 
online at Alibaba, that the Chinese government banned the items making it illegal to possess one 
outside of an electronic lock company, or by police. 
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Poor Practice Using 
Pressure-Sensitive Adhesive Label Seals* 


Roger G. Johnston, Ph.D., CPP 
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Introduction 


Pressure-sensitive adhesive (PSA) seals are widely used for tamper detection. They are 
also widely used BADLY for tamper detection. This paper shows photographs of poor PSA 
seal usage, with a brief explanation for each photo as to why it is poor practice. 


After having studied and defeated hundreds of pressure-sensitive adhesive (PSA) seals 
(and other kinds of tamper-indicating seals) over the years, I have concluded that PSA seals 
do not generally provide reliable tamper detection.[1,2] People like using these “sticky 
labels” because they are inexpensive and appear superficially to be easy to install and 
inspect. They are, however, typically easy even for amateurs to defeat. (To “defeat” a seal 
means to open the seal, then reseal using the original seal or a counterfeit without being 
detected. Simply smashing a seal open or discarding it is not defeating it.) 


If you insist on using PSA seals anyway, despite their relatively poor performance, this 
paper concludes with general suggestions for using PSA seals in ways that increases the 
odds of detecting tampering. 


Poor Practice 


PSA seals are used in large number in elections to secure ballots, election supplies, 
memory cards, voting machines, voting printouts, and storage cabinets. Figure 1 shows a 
typical paper PSA seal. It is usually signed or initialed—which is largely useless—but lacks 
the necessary serial number. Typically, the used and unused seals are not well secured. 
This type of election seal is often used to seal cardboard boxes, which themselves are not 
secure. 


ELECTION 


Figure 1 - a large paper election seal. 


*This paper was not peer reviewed. 
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Figure 2 shows a number of seals being used on the exterior of a voting machine. There 
are additional seals inside this voting machine. The time to inspect all these seals ina 
manner that would reliably detect tampering is onerous. Putting this many PSA seals on a 
voting machine indicates that the machine was poorly designed for tamper detection. See 
reference [2] for more discussion about seal security and voting machines. 


Figure 2 - a voting machine plastered with PSA seals. 


PSA seals are frequently used to “secure” police forensic evidence in envelopes and 
grocery bags, as shown in figures 3 and 4. The problems here include: no serial number on 
the seals, no protection for all of the envelope/bag seams, the use of generic rather than 
custom envelopes/bags, and a fundamentally poor choice for the “container”. 


Figure 3 - forensic evidence in a manila envelope. 


Figure 2 - forensic evidence is sealed in a grocery bag. 
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Figure 4 shows a PSA seal applied to a cardboard box used as packaging for a dual 
PIR/microwave Doppler motion detector. In my experience, such detectors are easy to 
tamper with, especially prior to installation. The problems with this PSA seal application is 
the lack of a serial number, and the absence of any mention of the seal on the box (so that if 
the seal is removed, the end user is unaware there ever was a Seal). An even bigger 
problem is the fact that the bottom of the cardboard box can be opened without disturbing 
the seal. See figure 5. 
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Figure 4 - a PSA seal used on a cardboard box. Figure 5 - the cardboard box can be easily 
opened from the bottom, leaving no evidence. 


Figure 6 shows a frangible, clear plastic film on the cap of the lip balm stick. A slight 
amount of adhesive seem to be in use for the frangible film, so I have included this example 
in this paper. The problem is that if the frangible film is removed, there is no indication on 
the product that there ever was a seal. 


SEALED FOR - 
apm — Chap Stick } 


Figure 6 - the only indication there is a seal in play is on the seal itself. 


Figure 7 is an example of a paper PSA seal that is applied to a urine sample bottle as part 
of an illegal drug test kit. The bottle is made of polyethylene, a very slippery plastic. The 
seal in this photo has self-released after a few hours (without rough handling or tampering) 
because of this slipperiness. This is an example of applying a PSA seal to an inappropriate 
surface. 
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Figure 7 - a PSA seal sticks poorly to a polyethylene plastic container. 


In figure 8, we see an example of old PSA seals that have become so aged, they cannot 
reliably indicate tampering. 


Figure 8 - aged PSA seals. 


Figures 9-15 depict PSA seals applied to gasoline pumps. Presumably, these seals have 
not been attacked and the gas pumps have not been opened. It would be difficult to reliably 
determine if tampering has occurred given their condition. 
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Figure 10 - This is a “void”-type PSA seal that is meant to show “OPEN” if the seal has been opened. 
Parts of the word ”OPEN” appear even though the seal has presumably not been attacked. 
This makes reliable tamper detection problematic. 
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Figure 11 - Another example of seal that partially shows the word “OPEN”. 


Figure 12-a damaged seal. 


Figure 13 - another damaged seal. 
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Figure 14 - another damaged seal; this is used to “secure” 
the credit card reader to prevent skimming of credit card data. 
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Figure 15 - a poorly applied PSA seal. 


If you insist on using adhesive label seals despite their relatively poor security, here are 


some suggestions for better tamper detection: 


1. A unique serial number is necessary for each PSA seal, and must be checked at the time 
of inspection against the seal database. This database must be well protected from 
tampering or replacement. Initialing seals, or having people sign their name on a seal, is 
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largely useless. If you insist on doing it anyway, the seal inspectors should have at least an 
hour of training and practice every year on identifying false signatures. 


2. It should be obvious to seal users—but often is not—that the recorded seal serial 
number, or the unencrypted database of seal serial numbers, MUST NOT accompany the 
seal, or be placed inside the sealed container. 


3. Match the type of adhesive to the surface. The best adhesive for bare metal is not 
necessarily best for painted metal, plastic, wood, cardboard, paper, or glass. 


4. Feel the surface that the seal will be applied to so that you can detect any substances the 
adversary has added to reduce adhesion. Pre-cleaning of the surface with a solvent or 
detergent water is strongly recommended. Residue from previous adhesive label seals 
must be fully removed. 


5. The surface should not be hot, cold, wet, corroded, or peeling when the PSA seal is 
applied. Using PSA seals out of doors, or on moving trucks or cargo containers is highly 
dubious, especially when there are substantial temperature or humidity fluctuations, 
vibrations, and/or grime. 


6. PSA seal adhesives have relatively short shelf-lives of 6 months to 2 years. Do not use 
old seals or store seals under harsh conditions because the adhesive will be degraded. 


7. Do not leave used or unused seals (or seal portions) lying around unsecured. 


8. Do not use seals in sequential order. You do not want an adversary to be able to predict 
the seal serial number. 


9. Full adhesion requires more than 48 hours. This often makes it easy for the first 2 days 
to lift the seal without causing damage or evidence of tampering. Heat can often help speed 
up the adhesion process. (For safety reasons, be careful not to heat any cleaning solvent 
that has not yet fully evaporated!) 


10. Ideally the adhesive, substrate, and ink should be made of the same material, or at least 
they should dissolve in exactly the same solvent. (Few, if any, adhesive label seals are 
designed this way.) 


11. Consider covering the label seal with a plastic protective sheet or clear protective spray 
while it is in use. 


12. During seal inspection, carefully examine the surface area outside the perimeter of the 
seal to look for evidence of attack. 


13. Seals should be compared alongside a well-secured, unused seal (ideally from the same 


batch) to look for evidence of tampering. Discrepancies in size, color, materials, surface 
finish and gloss, fonts, font sizes, and digit size/alignment/tilt/consistency must be noted. 
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14. If the recipient doesn’t know what the seal and envelope (or container) is supposed to 
look like, you are wasting your time. This information cannot accompany the seal or be 
inside the sealed container. 


15. If you are sealing envelopes or boxes with PSA seals, it is important to use custom 
envelopes or boxes, not generic ones available to anybody. Your custom envelopes or 
boxes need to be securely stored and checked out only to authorized personnel. 


16. If the seal serial number is only checked if the seal looks suspicious, you are engaged in 
Security Theater, not serious tamper detection. 


17. If tampering is reported only when the seal is blatantly missing or destroyed (except 
for certain special applications), you are engaged in Security Theater, not serious tamper 
detection. 


18. The best way to detect tampering with an adhesive label seal is to observe (and smell) 
as the seal is being removed. The seal inspector, however, must understand how the seal is 
supposed to behave (and smell) ordinarily upon removal. Smell is useful because the odor 
of paints, inks, coatings, adhesives, or solvents used to attack a seal will often remain 
trapped under the seal or in the seal adhesive for many months. An inexpensive, handheld 
volatile organic chemical (VOC) detector can sometimes be used in place of the human 
nose. 


19. A blink comparator, especially used with a kinematic mount (to exactly re-position the 
camera without any necessary adjustment) is an excellent way to compare before and after 
images of PSA seals to look for tampering. See reference [3]. 


20. Manufacturers and vendors often emphasize the unique features of adhesive label seals 
that they claim are difficult or impossible to replicate. This is usually quite untrue in my 
experience [1,4], but it doesn’t usually matter since most adhesive label seals will be 
attacked by reusing the original seal, perhaps with some artistic, cosmetic, or repair work. 
Thus “lifting’—removing the seal and then replacing it on the original or a different 
container or object without being detected—is usually an easier attack on PSA seals than 
counterfeiting, though from experience I know that counterfeiting is often not very 
difficult.[1,4] 


21. It is critical to keep in mind that counterfeit attacks rarely require true counterfeiting. 
Mimicking of a few of the seal’s attributes is usually easier, and more than adequate to fool 
the seal inspector or a handheld electronic seal reader. 


22. Seals that reveal words like “OPEN” or “VOID” or show patterns when removed from a 
surface are largely gimmicks that do not represent serious challenges to an adversary. (On 
the other hand, this feature can be quite effective for flag seals, i.e., seals for which there is 
no malicious adversary.) 
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23. For more information on how to better use PSA seals, as well as other kinds of seals, 
see reference [4]. 
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Viewpoint Paper 


Wargaming Brexit: 
A Simple Approach for UK Small to Medium Enterprises* 


Philip Hannah 
Seven Questions Consulting 
pwh @sevenquestions.com 


All the business of war, and indeed all the business of life, is to endeavour to find out what you 
don't know by what you do; that's what I called "guessing what was at the other side of the hill”. 
-- Lord Wellington (1769-1852) 


Why? 


Faced with the fact that the worst case (no deal) is now being considered by the 
government and markets as the most likely outcome, I was recently asked by a client to 
suggest how smaller business in the UK might use wargaming techniques to plan for the 
impact of Brexit. 


Other smaller businesses might find these ideas of some use. The benefit of a simple 
wargame is that it enables decision makers to apply scarce resource for maximum effect 
with minimal effort. A simple wargame is always better than no wargame at all—faced 
with confusion and uncertainty the old adage of ‘just do something’ applies! 


Who? 


Wargames require that teams roleplay obstacles to your success (in this case the 
successful execution of your contingency plan for a no deal Brexit). In many cases, you may 
choose a range of competitors, but to keep it simple for most small businesses. you can 
have just four teams (each represented by one person): 


e Team 1 - Your company. 
e Team 2 - Your customers. 


e Team 3 - Your competitors. 
e Team 4 - Your suppliers. 


*This paper was not peer reviewed. 
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It’s not perfect, it’s pretty broad, but to go back to the original point—its far, far better 
than assuming your contingency arrangements are the best they can be! The more people 
you have available, the more teams you can create—perhaps customers by channel or 
suppliers by size or location. 


What? 


We are frequently asked why we drive our clients towards wargaming the most likely 
scenarios over the most dangerous or worst case. The answer is in the question: most 
likely is the most likely. Fortunately in the case of Brexit, we appear to have been spared 
debating the issue since the worst case for many (no deal) is now, by HMG’s own 
admission, the most likely scenario! Thus, you should wargame a no deal Brexit. 


When? 


You should take a snapshot in time (for example the week before 31 Oct, the week after 
or October in general). If time permits, you might want to consider more than one time 
period. The leaked HMG document used 31 Oct, the first week and the first month which is 
as good a set of timeframes as any. For each time slot, you will state the situation, the 
underpinning assumptions, and ‘paint a picture’ of what the world looks like at that point in 
time. Apply as much detail as is sensible, appropriate, and time permits (for example don’t 
apply FOREX assumptions unless they have a real impact on your business). 


How? 


Prior to the session, each person/team should spend some time ‘getting into character’ as 
best they can—reading up and doing some thinking about how their team will react to 
Brexit. This is a very basic approach and your teams are broad; best effort is the key here! 
Plenty of research and useful planning assumptions are available on the Internet including 
documents produced by think tanks, large consultancies, and UK Government depart- 
ments. A few hours of (coordinated) Googling will produce enough info to support a few 
hours of basic wargaming. 


In addition, you will need to agree on the scenario for each timeframe you want to 
consider and agree on the underpinning assumptions. You'll need as much detail as is 
sensible/feasible about what the world/UK will look like in that time period you wish to 
wargame. You will, I’m afraid, have to put a peg in the sand here. We are talking basic 
wargames—research, discuss and then decide on your scenarios. By all means if you have 
time, repeat with alternative ‘what ifs’ but you'll need to go firm on the scenario(s). 


Now you wargame! Assuming you have a contingency plan (no matter how vague) this is 
where you test it. Start the sessions by summarizing the scenario, the assumptions, and 


then your plan, what you will do and why, and then get every other team to respond and 
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challenge. Key here is to frame discussion and responses in terms of “as your suppliers 
given what you have said we will do this...”, you should avoid “..if | was a competitor I 
would probably do this...” subtle differences and driven by the amount of time you have to 
prepare. Give each team a turn to summarize their most likely response, and discuss as 
required. As time is short, this is meant to be quick and dirty so after one series of 
comments (or perhaps a set period of time) EVERYONE gets together, suggests revisions to 
the plan, and you go again. Repeat until (a) you have a plan that is more resilient and 
robust than the one you started with, or (b), you run out of time. 


In Summary 

For the cost of four people, a few hours prep, and a 2/3 hour wargaming session, you will 
have a much more resilient plan, everyone who participates (or observes) will have a 
better, more aligned understanding of the risks and your mitigations, and you'll be better 
placed to weather what happens if/when Brexit occurs on 31 Oct! If you take the time to 
record the assumptions underpinning each scenario then if/when they change, you'll also 


be better placed to respond in a more informed fashion to the changed situation. 


Good luck! Please feel reach out if you think we can help further. 


About the Author 


Philip Hannah is the Director of Seven Questions Consulting which provides bespoke 
wargaming and open source intelligence support to clients globally. 
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Viewpoint Paper 


Revised and Updated Security Maxims* 


Roger G. Johnston, Ph.D., CPP 
Right Brain Sekurity (http://rbsekurity.com) 


This is a revised and updated compilation of my popular security maxims. While these 
maxims are not theorems or absolute truths, they are in my experience essentially valid 80- 
90% of the time in physical security and nuclear safeguards. They probably also have 
considerable applicability to cyber security. 


Note that some of these maxims are obviously hyperbole and/or tongue-in-cheek, but 
that does not necessarily make them untrue. You ignore these maxims at your own (and 
others’) peril, especially the ones in red (and marked with an asterisk)! 


1. Arrogance Maxim: The ease of defeating a security device or system is proportional to 
how confident/arrogant the designer, manufacturer, or user is about it, and to how often 
they use words like “impossible” or “tamper-proof”. 


2. Warner’s (Chinese Proverb) Maxim: There is only one beautiful baby in the world, 
and every mother has it. Comment: Everybody’s security or security product is beautiful 
(to them). 


*3. Band-Aid Maxim: Effective security is difficult enough when designed in from scratch. 
It can rarely be added on at the end, or as an afterthought. Comment: So plan security at 
the earliest design stages of a security device, system, or program. 


4. Get Use To It Maxim: The recommended use protocol for any given security device, 
system, or product (if there even is one) is not well thought through from a vulnerability 
standpoint. 


*5. Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security 
or a bad security product. Comment: Fear is a good vaccine against both arrogance and 


ignorance. 


*6. So We're In Agreement Maxim: If you’re happy with your security, so are the bad 
guys. 


32 


Journal of Physical Security 12(2), 32-52 (2019) 


*7, Ignorance is Bliss Maxim: The confidence that people have in security is inversely 
proportional to how much they know about it. Comment: Security looks easy if you’ve 
never taken the time to think carefully about it. 


8. Titanic Maxim: All confidence is over-confidence, if not arrogance. 


9. Infinity Maxim: There are an unlimited number of security vulnerabilities for a given 
security device, system, or program, most of which will never be discovered (by the good 
guys or bad guys). Comment: We think this is true because we always find new 
vulnerabilities when we look at the same security device, system, or program a second or 
third time, and because we always find vulnerabilities that others miss, and vice versa. 


10. Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or 
only a few is worthless and wrong. 


11. Weakest Link Maxim: The efficacy of security is determined more by what is done 
wrong than by what is done right. Comment: Because the bad guys typically attack 
deliberately and intelligently, not randomly. 


12. Safety Maxim: Applying the methods of safety to security doesn’t work well, but the 
reverse may have some merit. Comment: Safety is typically analyzed as a stochastic or 
event/fault tree kind of problem, whereas the bad guys typically attack deliberately and 
intelligently, not randomly. For a discussion about using security methods to improve 
safety, see RG Johnston, Journal of Safety Research 35, 245-248 (2004). 


*13. High-Tech Maxim: The amount of careful thinking that has gone into a given security 
device, system, or program is inversely proportional to the amount of high-technology it 
uses. Comment: In security, high-technology is often taken as a license to stop thinking 
critically. 


14. Doctor Who Maxim: “The more sophisticated the technology, the more vulnerable it is 
to primitive attack. People often overlook the obvious.” Comment: This quote is from Tom 
Baker as Doctor Who in The Pirate Planet (1978). 


*15. Low-Tech Maxim: Low-tech attacks work (even against high-tech devices and 
systems). Comment: So don’t get too worked up about high-tech attacks. 


16. Black Box Maxim: An adversary can defeat a security device or system (even if high- 
tech) with only a partial understanding of how it (or the software/firmware) works. 
Comment: Based on a lot of experience. 


17. Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are 


about a given security technology, the less they understand (1) that technology and (2) 
their own security problems. Comment: From security guru Bruce Schneier. 
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18. Sexy Maxim: The sexier a security device, system, or program appears to be, the less 
security it has to offer. 


19. What a Deal Maxim: The introduction of high-tech security products into your 
security program will: (1) probably not improve your security, (2) almost certainly 
increase your overall security costs (though perhaps it will decrease inventory, shipping, or 
other business costs), and (3) probably increase security labor costs (with the sometimes 
exception of CCTV). 


20. Too Good Maxim: If a given security product, technology, vendor, or techniques 
sounds too good to be true, it is. And it probably sucks big time. 


*21. You Must Be High Maxim 1: Any security product that is labeled “high security” isn’t. 


*22. You Must Be High Maxim 2: “High Security” is a context- and application-dependent 
value judgment, not a product attribute. 


23. That’s Extra Maxim: Any given security product is unlikely to have significant security 
built in, and will thus be relatively easy to defeat. 


24. I Just Work Here Maxim: No salesperson, engineer, or executive of a company that 
sells or designs security products or services is prepared to answer a significant question 
about vulnerabilities, and few potential customers will ever ask them one. 


25. Bob Knows a Guy Maxim: Most security products and services will be chosen by the 
end-user based on purchase price plus hype, rumor, innuendo, hearsay, and gossip. 


26. My Crazy Girlfriend/Boyfriend Maxim: Any methodology for selecting a security 
device or system (or for deciding whether a new one should be fielded) will ignore, assign 
insufficient weight to, or be ignorant of the fact that it can be easily defeated. 
Consequently, the device or system will be accepted for reasons other than effective 
security. Comment: (Named after people who select a romantic partner with many 
admirable traits but who happens to be a psychopath.) If a security device or system does 
not provide good security, any of its other attributes are irrelevant. The maxim applies to 
qualitative, semi-quantitative, and quantitative methodologies for ranking/rating. 


27. He Just Seems So Knowledgeable Maxim: Most organizations get the majority of 
their physical security advice from salespeople (who somehow seem to recommend their 
own products), or from colleagues who got their information from salespeople. 


28. Tamper-Proof Maxim: Any claim by a salesperson about the performance of a 
physical security product (including the claim of absolute security) will be believed by 
default by the customer, while warnings about vulnerabilities or limitations by 
vulnerability assessors or others with first-hand experience will be met with incredulity. 
Comment: A classic example of this can be found in the all-to-common seal customers who 
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maintain that their seals cannot not be spoofed because the manufacturer calls them 
“tamper-proof”. 


29. Magic Light Inside the Refrigerator Maxim: Deploying a simple mechanical tamper 
switch or light sensor to detect tampering with a device (e.g., a motion sensor) or container 
is approximately the same thing as having no tamper detection at all. Comment: The 
reasons for this include (1) such tamper detectors are usually easy for a resourceful person 
to defeat, (2) they are often poorly designed, (3) the tamper signal/alarm is ignored or 
misinterpreted, and/or (4) the tamper signal isn’t even hooked up. 


30. Key Maxim (Tobias’s Maxim #1): The key does not unlock the lock. Comment: From 
Marc Weber Tobias. The point is that the key activates a mechanism that unlocks the lock. 
The bad guys can go directly to that central unlocking mechanism to attack the lock (or do 
other things) and entirely bypass the key or pins. This maxim is related to the “I am 
Spartacus Maxim” below and to a corollary (also from Marc Weber Tobias) that “electrons 
don’t open doors, mechanical mechanisms do”. 


31. Tobias’s Maxim #2: Things are rarely what they appear to be. Comment: From Marc 
Weber Tobias. Or as Yogi Berra said, “Nothing is like it seems, but everything is exactly like 
itis.” 


32. There’s The Opening Maxim (Tobias’s Maxim #3): Any opening in a security 
product creates a vulnerability. Comment: From Marc Weber Tobias. 


33. Tobias’s Maxim #4: You must carefully examine both critical and non-critical 
components to understand security. Comment: From Marc Weber Tobias. 


34. Contrived Duelism/Dualism Maxim: The promoters of any security product meant 
to deal with any sufficiently challenging security problem will invoke a logical fallacy 
(called “Contrived Dualism”) where only 2 alternatives are presented and we are pressured 
into making a choice, even though there are actually other possibilities. Comment: For 
example: “We found a convicted felon, gave him a crowbar, and he couldn’t make the lock 
open after whaling on it for 10 minutes. Therefore, the lock is secure.” Another example, 
“Nobody in the company that manufacturers this product can figure out how to defeat it, 
and I bet you, Mr./Ms. Potential Customer [never having seen this product before in your 
life] can’t think up a viable attack on the spot. Therefore, this product is secure.” 


35. Familiarity Maxim: Any security technology becomes more vulnerable to attacks 
when it becomes more widely used, and when it has been used for a longer period of time. 


36. Antique Maxim: A security device, system, or program is most vulnerable near the 
end of its life. 


*37. Schneier’s Maxim #2 (Control Freaks Maxim): Control will usually get confused 
with Security. Comment: From security guru Bruce Schneier. Even when Control doesn’t 
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get confused with Security, lots of people and organizations will use Security as an excuse 
to grab Control, e.g., the Patriot Act. 


38. Father Knows Best Maxim: The amount that (non-security) senior managers in any 
organization know about security is inversely proportional to (1) how easy they think 
security is, and (2) how much they will micro-manage security and invent arbitrary rules. 


39. Big Heads Maxim: The farther up the chain of command a (non-security) manager can 
be found, the more likely he or she thinks that (1) they understand security and (2) 
security is easy. 


40. Huh Maxim: When a (non-security) senior manager, bureaucrat, or government 
official talks publicly about security, he or she will usually say something stupid, 
unrealistic, inaccurate, and/or naive. 


41. It’s All About Me Maxim: Government employees involved with security and counter 
intelligence will confuse what makes their job easier with what is good for national 
security. 


*42. Voltaire’s Maxim: The problem with common sense is that it is not all that common. 
Comment: Real world security blunders are often stunningly dumb. 


43. Yippee Maxim: There are effective, simple, & low-cost counter-measures (at least 
partial countermeasures) to most vulnerabilities. 


44. Arg Maxim: But users, manufacturers, managers, & bureaucrats will be reluctant to 
implement them for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or 
cognitive dissonance. 


*45. Show Me Maxim: No serious security vulnerability, including blatantly obvious ones, 
will be dealt with until there is overwhelming evidence and widespread recognition that 
adversaries have already catastrophically exploited it. In other words, “significant 
psychological (or literal) damage is required before any significant security changes will be 
made”. 


*46. Friedman’s Maxim: "Only a crisis—actual or perceived—produces real change. When 
the crisis occurs, the actions that are taken depend on the ideas that are lying around." --Milton 
Friedman (1912-2006). Comment: This is why it is so important to actively discuss and analyze 
alternative approaches to security. Not because they will be automatically adapted even if they 
are good ideas, but because we want lots of good ideas lying around for when a real or perceived 
serious security incident occurs. 


47. Could’ve, Would’ve, Should’ve Maxim: Organizations and Security Managers will 
dismiss a serious vulnerability as of no consequence if there exists a simple 
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countermeasure—even if they haven't bothered to actually implement that 
countermeasure. 


48. Payoff Maxim: The more money that can be made from defeating a technology, the 
more attacks, attackers, and hackers will appear. 


49. 1 Hate You Maxim 1: The more a given technology is despised or distrusted, the more 
attacks, attackers, and hackers will appear. 


50. I Hate You Maxim 2: The more a given technology causes hassles or annoys security 
personnel, the less effective it will be. 


51. Good vs. Evil Maxim: Ethical hackers improve security more often than they place it at 
risk. 


52. Colsch's (KISS or Kitchen Sink) Maxim: Security won't work if there are too many 
different security measures to manage, and/or they are too complicated or hard to use. 


53. That’s Cold Maxim: An adversary who attacks cold (without advance knowledge or 
preparation) is stupid and amateurish, often too much so to be a real threat. Moreover, he 
almost never has to attack cold. Comment: Thus don’t overly focus on this kind of attack, 
or use it as an excuse not to fix vulnerabilities. 


54. Shannon’s (Kerckhoffs’) Maxim: The adversaries know and understand the security 
hardware, software, algorithms, and strategies being employed. Comment: This is one of 
the reasons why open source security (e.g., open source cryptography or open source 
locks) makes sense. 


55. Corollary to Shannon’s Maxim: Thus, “Security by Obscurity”, i.e., security based on 
keeping long-term secrets, is not a good idea. Comment: Short-term secrets can create 
useful uncertainty for an adversary, such as temporary passwords and unpredictable 
schedules for guard rounds. But relying on long term secrets for good security is not smart. 
People and organizations cannot keep long-term secrets. 


56. Transparency Maxim: Security is usually better when it is transparent. Comment: 
Ironically—and somewhat counter-intuitively—security is usually more effective when it is 
transparent. This allows for discussion, analysis, understanding, outside review, criticism, 
accountability, buy-in, and continuing improvement. 


57. Gossip Maxim: People and organizations can’t keep secrets. Comment: See Manning 
and Snowden. 


58. How Inconvenient! Maxim: Convenience is typically not compatible with good 
security, yet, paradoxically, security that isn’t convenient usually doesn’t work well. 
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*59. Plug into the Formula Maxim: Engineers don’t understand security. Comment: 
They tend to work in solution space, not problem space. They rely on conventional designs 
and focus on a good experience for the user and manufacturer, rather than a bad 
experience for the bad guy. They view nature or economics as the adversary, not people, 
and instinctively think about systems failing stochastically, rather than due to deliberate, 
intelligent, malicious intent. Being intelligent does not automatically make you think like a 
bad guy. (Magicians and con artists know that technical people are often the easiest people 
to scam because they think logically!) 


60. Rohrbach’s Maxim: No security device, system, or program will ever be used properly 
(the way it was designed) all the time. 


61. Rohrbach Was An Optimist Maxim: No security device, system, or program will ever 
be used properly. 


62. Ox Votes for the Moron Maxim: “Election Security” is an oxymoron. 


63. Election Oaf Ficial Maxim: Any given election official most likely (1) doesn’t believe 
that security is part of their job, (2) doesn’t think there are any election security issues, (3) 
has never tried to envision an attack, and (4) believes any questioning of their election 
security is a political attack. 


64. Not My Problem Maxim: The only for-profit organizations more clueless about 
security than manufacturers and vendors of security products are manufacturers and 
vendors who make products that they (mistakenly) think have no security implications or 
potential attackers. Comment: Examples: electronic voting machines and medical 
electronics. 


65. Security Costs Extra Maxim: You won't usually get better security products by telling 
the manufacturer or vendor about the vulnerabilities, but you'll have a somewhat better 
chance if you tell the customers and let the manufacturer/vendor know you have. 


66. Thanks But No Thanks Maxim: It is a waste of time to try to help a person or 
organization improve their security if one or more of the following are true: (1) They are 
arrogant in denial about their security problems; (2) They don’t think their security can 
improve; (3) They don’t want their security to improve; and/or (4) They are severely 
unimaginative. 


67. Purely Reflex (PR) Maxim: After a public hacking, tampering event, or serious 
security incident, the lawyers, senior management, and the Public Relations Department 
will be unprepared and will handle the situation in an incompetent, knee-jerk, self- 
defeating manner that harms the organization and its reputation. 


68. Inside Tip Maxim: There are always real and substantial insider threats. 
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*69. Insider Risk Maxim: Most organizations will ignore or seriously underestimate the 
threat from insiders. Comment: Maybe from a combination of denial that we’ve hired bad 
people, and a (justifiable) fear of how hard it is to deal with the insider threat? 


*70. We Have Met the Enemy and He is Us Maxim: The insider threat from careless or 
complacent employees and contractors exceeds the threat from malicious insiders (though 
the latter is not negligible.) Comment: This is partially, though not totally, due to the fact 
that careless or complacent insiders often unintentionally help nefarious outsiders. Also, 
see Schryver’s Law below. 


71. Fair Thee Well Maxim: Employers who talk a lot about treating employees fairly 
typically treat employees neither fairly nor (more importantly) well, thus aggravating the 
insider threat and employee turnover (which is also bad for security). 


72. The Inmates are Happy Maxim: Large organizations and senior managers will go to 
great lengths to deny employee disgruntlement, see it as an insider threat, or do anything 
about it. Comment: There are a wide range of well-established tools for mitigating 
disgruntlement. Most are quite inexpensive. 


73. Two Kinds Maxim 1: Disengaged employees fall into 2 categories, those who quit and 
leave, and those who quit and stay. 


74. Two Kinds Maxim 2: Disgruntled employees fall into 2 categories, those who engage 
in retaliation & sabotage, and those who are currently contemplating it. 


75. Beef Jerky Maxim: Employees don't leave jobs, they leave jerks. 


*76. Make ‘Em Gruntled Maxim: Disgruntlement is the easiest motivator of inside 
attackers to counter. Comment: There are a number of motivations for deliberate inside 
attacks. These include: greed; ideology, political activism, and radicalization; terrorism; 
coercion/blackmail; desire for excitement; the phenomenon of a self-identified Cassandra; 
disgruntlement; and (maybe) mental illness. Of these, disgruntlement is the easiest to 
counter by treating insiders well, followed by dealing with Cassandras. [In Greek 
mythology, Cassandra was given the power of prophecy, but then cursed such that nobody 
would believe her. A self-identified Cassandra warns of security risks, but when isn’t 
believed will instigate the prophesized attack(s). |] 


77.80% Maxim: When an employee is disgruntled, if someone in the organization with 
even a little authority will simply listen to, validate, and empathize with the employee, 
approximately 80% of the time the employee will feel significantly better about the 
problem, himself/herself, and the organization as a whole. Comment: Remarkably, it isn’t 
even necessary to agree with the employee about their complaint(s), or fix whatever is 
bugging him or her—though, when possible, a sincere attempt to fix the problem can goa 
long ways towards mitigating the disgruntlement. 
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78. HR Maxim: In any given large organization, the Human Resources Department is more 
likely to make security worse than it is to make it better. Indeed, your greatest security 
threat may be HR. 


*79. Troublemaker Maxim: The probability that a security professional has been 
marginalized by his or her organization is proportional to his/her skill, creativity, 
knowledge, competence, and eagerness to provide effective security. 


80. Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors 
and others who point out vulnerabilities or suggest security changes more than malicious 
adversaries. Comment: An entertaining example of this common phenomenon can be 
found in “Surely You are Joking, Mr. Feynman!”, published by W.W. Norton, 1997. During 
the Manhattan Project, when physicist Richard Feynman pointed out physical security 
vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt 
with (which would have been easy). 


*81. Questionable Security Maxim: If nobody is questioning or criticizing your security, 
you have bad security. 


82. Irresponsibility Maxim: It'll often be considered “irresponsible” to point out security 
vulnerabilities (including the theoretical possibility that they might exist), but you'll rarely 
be called irresponsible for ignoring or covering them up. 


*83. Backwards Maxim: Most people will assume everything is secure until provided 
strong evidence to the contrary—exactly backwards from a reasonable approach. 


84. Narcissist Maxim: Security managers, bureaucrats, manufacturers, vendors, and end- 
users will automatically assume that, if they cannot readily conceive of a way to defeat a 
security product (or a security program), then nobody else can. Remarkably, this will be 
true even for people with little or no experience, resources, or aptitude for defeating 
security, and even if they are spectacularly unimaginative. 


85. You Could’ve Knocked Me Over with a Feather Maxim 1: Security managers, 
bureaucrats, manufacturers, vendors, and end users will always be amazed at how easily 
their security products or programs can be defeated. 


86. You Could’ve Knocked Me Over with a Feather Maxim 2: Having been amazed once, 
security managers, bureaucrats, manufacturers, vendors, and end users will be equally 
amazed the next time around. 


87. That’s Why They Pay Us the Big Bucks Maxim: Security is nigh near impossible. It’s 
extremely difficult to stop a determined adversary. Often the best you can do is discourage 
him, and maybe minimize the consequences when he does attack, and/or maximize your 
organization’s ability to bounce back (resiliency). 
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88. Throw the Bums Out Maxim: An organization that fires high-level security managers 
when there is a major security incident, or severely disciplines or fires low-level security 
personnel when there is a minor incident, will never have good security. 


*89. Scapegoat Maxim: The main purpose of an official inquiry after a serious security 
incident is to find somebody to blame, not to fix the problems. 


90. Eeny, Meeny, Miny Maxim: The scapegoat(s) chosen after a serious security incident 
will tend to be chosen from among these 3 groups: those who had nothing to do with the 
incident, those who lacked the authority and resources to prevent it, and those whose 
warnings about the possibility of this or related incidents went unheeded. 


91. A Priest, a Minister, and a Rabbi Maxim: People lacking imagination, skepticism, and 
a sense of humor should not work in the security field. 


92. I Question This Maxim Maxim: Skepticism about security (if not all-out cynicism) is 
almost always warranted. Moreover, it is a powerful tool for analyzing or evaluating 
security. 


93. Thinking Outside the Bun Maxim: Any security manager who cannot think of a new 
place to have lunch oversees a poor security program. 


*94. Absence of Evidence As Evidence of Absence Maxim: The fact that any given 
unimaginative bureaucrat or security manager cannot immediately envision a viable attack 
scenario will be taken as proof that there are no vulnerabilities. 


95. That’s Not My Department Maxim: Any employee who’s job primarily entails 
checking on security compliance will have no interest in (or understanding of) security, will 
not permit it to interfere with his/her job, and will look at you like you are crazy if you 
raise any actual security concerns. 


96. Deer in the Headlights (I’m With Stupid) Maxim: Any sufficiently advanced 
cowardice, fear, arrogance, denial, ignorance, laziness, or bureaucratic intransigence is 
indistinguishable from stupidity. 


*97. Cowboy Maxim: You can lead a jackass to security, but you can't make him think. 
98. Awareness Training: Most security awareness training turns employees against 
security and/or hypocritically represents the organization as having a good security 
culture when it does not. 

99. See I (Just Work Here) Maxim 1: (Your security awareness or CI training not 


withstanding) any given Counter-Intelligence (CI) Officer doesn’t want to hear about your 
CI concerns, and will do nothing about them if they are forced upon him/her. 
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100. See I (Just Work Here) Maxim 2: Any bureaucrat sufficiently high up in the Security 
or Counter-Intelligence Department doesn’t get Counter Intelligence (CI). 


*101. Mr. Spock Maxim: The effectiveness of a security device, system, or program is 
inversely proportional to how angry or upset people get about the idea that there might be 
vulnerabilities. 


102. Double Edge Sword Maxim: Within a few months of its availability, new technology 
helps the bad guys at least as much as it helps the good guys. 


*103. Mission Creep Maxim: Any given device, system, or program that is designed for 
inventory will very quickly come to be viewed—quite incorrectly—as a security device, 
system, or program. Comment: This is a sure recipe for lousy security. Examples include 
RFIDs, GPS, and many so-called nuclear Material Control and Accountability (MC&A) 
programs. 


*104. We'll Worry About it Later Maxim: Effective security is difficult enough when you 
design it in from first principles. It almost never works to retrofit it in, or to slap security on 
at the last minute, especially onto inventory technology. 


*105. Somebody Must’ve Thought It Through Maxim: The more important the security 
application, the less careful and critical thought and research has gone into it. Comment: 
Research-based practice is rare in important security applications. For example, while the 
security of candy and soda vending machines has been carefully analyzed and researched, 
the security of nuclear materials has not. Perhaps this is because when we have a very 
important security application, committees, bureaucrats, power grabbers, business 
managers, and linear/plodding/unimaginative thinkers take over. Also, there is mental 
paralysis because the stakes are so high. 


106. That’s Entertainment Maxim: Ceremonial Security (a.k.a. “Security Theater”) will 
usually be confused with Real Security; even when it is not, it will be favored over Real 
Security. Comment: Thus, after September 11, airport screeners confiscated passengers’ 
fingernail clippers, apparently under the theory that a hijacker might threaten the pilot 
with a bad manicure. At the same time, there was no significant screening of the cargo and 
luggage loaded onto passenger airplanes. 


107. Ass Sets Maxim: Most security programs focus on protecting the wrong assets. 
Comment: Often the focus is excessively on physical assets, not more important assets such 
as people, intellectual property, trade secrets, good will, an organization’s reputation, 
customer and vendor privacy, etc. 


*108. Vulnerabilities Trump Threats Maxim: If you know the vulnerabilities 
(weaknesses), you've got a shot at understanding the threats (the probability that the 
weaknesses will be exploited, how, and by whom). Plus you might even be ok if you get the 
threats wrong (which you probably will). But if you focus only on the threats, you're likely 
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to be in trouble. Comment: It’s hard to predict the threats accurately, but threats (real or 
imagined) are great for scaring an organization into action. It’s not so hard to find the 
vulnerabilities if you really want to, but it is usually difficult to get anybody to do anything 
about them. 


109. Vulnerabilities are the Threat Maxim: Security (and emergency response) typically 
fails not because the threats were misunderstood, but because the vulnerabilities were not 
recognized and/or not mitigated. 


110. See No Evil Maxim: Organizations and security managers are more afraid of 
vulnerabilities than threats, so much so that they will often deny that vulnerabilities can 
exist, rather than address them. 


111. Gap Maxim: People and organizations that talk about “gaps” in their security (rather 
than vulnerabilities or attack scenarios) have middling security at best. Comment: At least 
they are able to acknowledge that vulnerabilities can exist (a good thing) but the gap/no- 
gap binary mindset is not conducive to good security. 


112. Risky Business Maxim: Many of the activities involved in developing or evaluating 
security measures will only have a partial or superficial connection to true Risk 
Management. 


113. Stupid Met Tricks Maxim: Any given security metric is more likely to measure 
security management, compliance with rules, or performance against one very specific 
(and improbable) attack scenario than actual security. And it probably drives more 
undesirable security behaviors and attitudes than good ones. 


114. Mermaid Maxim: The most common excuse for not fixing security vulnerabilities is 
the belief that they simply can't exist. Comment: Often, the evidence offered that no 
security vulnerabilities exist is that the security manager who expresses this view can’t 
personally imagine how to defeat the security. 


115. Onion Maxim: The second most common excuse for not fixing security 
vulnerabilities is that "We have many layers of security", i.e., we rely on "Security in Depth". 
Comment: Security in Depth has its uses, but it should not be the knee jerk response to 
difficult security challenges, nor an excuse to stop thinking and improving security, as it 
often is. 


116. Hopeless Maxim: The third most common excuse for not fixing security 
vulnerabilities is that "all security devices, systems, and programs can be defeated". 
Comment: This maxim is typically expressed by the same person who initially invoked the 
Mermaid Maxim, when he/she is forced to acknowledge that the vulnerabilities actually 
exist because they’ve been demonstrated in his/her face. A common variant of the 
hopeless maxim is “sure, we could implement that inexpensive countermeasure so that the 
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average person on the street couldn’t defeat our security with a bobby pin, but then the bad 
guys would just come up with another, more sophisticated attack”. 


117. Takes One to Know One Maxim: The fourth most common excuse for not fixing 
security vulnerabilities is that "our adversaries are too stupid and/or unresourceful to 
figure that out." Comment: Never underestimate your adversaries, or the extent to which 
people will go to defeat security. 


118. Depth, What Depth? Maxim: For any given security program, the amount of critical, 
skeptical, creative, and intelligent thinking that has been undertaken is inversely 
proportional to how strongly the strategy of "Security in Depth" (layered security) is 
embraced. 


*119. Waylayered Security Maxim: Complex layered security will fail stupidly. 
Comment: See, for example, the 82-year old nun penetrating the Y-12 nuclear facility, or 
various White House fence jumpers. 


120. Gatekeeper (“We'll Only Get Suspicious When Bob Does”) Maxim: Organizations 
and security managers will frequently deploy multiple security measures (perhaps 
layered), but only put them into play if a particular measure (or layer) indicates there 
might be a problem—thus largely negating the other measures (or layers). Thus, 
adversaries often need to spoof or neutralize only one key measure to defeat the overall 
security. Comment: The 1 security measure (or layer) that is relied upon is usually the 
easiest to interpret. Examples of this maxim: (1) In some facilities, guards do nothing until 
an audible alarm sounds. (2) Ifa cargo tamper-indicating seal appears intake, it may not be 
carefully inspected or its serial number compared with records—thus ignoring most of its 
security features. 


121. Redundancy/Orthogonality Maxim: When different security measures are thought 
of as redundant or “backups”, they typically are not. Comment: Redundancy is often 
mistakenly assumed because the disparate functions of the two security measures aren’t 
carefully thought through. 


122. Tabor’s Maxim #1 (Narcissism Maxim): Security is an illusionary ideal created by 
people who have an overvalued sense of their own self worth. Comment: From Derek 
Tabor. This maxim is cynical even by our depressing standards—though that doesn’t make 
it wrong. 


123. Tabor’s Maxim #2 (Cost Maxim): Security is practically achieved by making the cost 
of obtaining or damaging an asset higher than the value of the asset itself. Comment: From 
Derek Tabor. Note that “cost” isn’t necessarily measured in terms of dollars. 


124. Buffett’s Maxim: You should only use security hardware, software, and strategies 
you understand. Comment: This is analogous to Warren Buffett’s advice on how to invest, 
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but it applies equally well to security. While it’s little more than common sense, this advice 
is routinely ignored by security managers. 


*125. Just Walk It Off Maxim: Most organizations will become so focused on prevention 
(which is very difficult at best), that they fail to adequately plan for mitigating attacks, and 
for recovering when attacks occur. 


126. Thursday Maxim: Organizations and security managers will tend to automatically 
invoke irrational or fanciful reasons for claiming that they are immune to any postulated or 
demonstrated attack. Comment: So named because if the attack or vulnerability was 
demonstrated on a Tuesday, it won’t be viewed as applicable on Thursday. Our favorite 
example of this maxim is when we made a video showing how to use GPS spoofing to hijack 
a truck that uses GPS tracking. In that video, the GPS antenna was shown attached to the 
side of the truck so that it could be easily seen on the video. After viewing the video, one 
security manager Said it was all very interesting, but not relevant for their operations 
because their trucks had the antenna on the roof. 


127. Galileo’s Maxim: The more important the assets being guarded, or the more 
vulnerable the security program, the less willing its security managers will be to hear about 
vulnerabilities. Comment: The name of this maxim comes from the 1633 Inquisition 
where Church officials refused to look into Galileo’s telescope out of fear of what they 
might see. 


*128. Michener’s Maxim: We are never prepared for what we expect. Comment: From a 
quote by author James Michener (1907-1997). As an example, consider Hurricane Katrina. 


129. Black Ops Maxim: If facility security is the responsibility of the Facility Management 
or (in government) Operations Department, then security will be given about as much 
importance and careful analysis as snow removal or taking out the trash. 


130. Accountability 1 Maxim: Organizations that talk a lot about holding people 
accountable for security are talking about mindless retaliation, not a sophisticated 
approach to motivating good security practices by trying to understand human and 
organizational psychology, and the realities of the workplace. 


131. Accountability 2 Maxim: Organizations that talk a lot about holding people 
accountable for security will never have good security. Comment: Because if all you can do 
is threaten people, rather than developing and motivating good security practices, you will 
not get good results in the long term. 


132. Blind-Sided Maxim: Organizations will usually be totally unprepared for the security 
implications of new technology, and the first impulse will be to try to mindlessly ban it. 
Comment: Thus increasing the cynicism regular (non-security) employees have towards 
security. 
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133. Better to be Lucky than Good Maxim: Most of the time when security appears to be 
working, it’s because no adversary is currently prepared to attack. 


134. Success Maxim: Most security programs “succeed” (in the sense of their being no 
apparent major security incidents) not on their merits but for one of these reasons: (1) the 
attack was surreptitious and has not yet been detected, (2) the attack was covered up by 
insiders afraid of retaliation and is not yet widely known, (3) the bad guys are currently 
inept but that will change, or (4) there are currently no bad guys interested in exploiting 
the vulnerabilities, either because other targets are more tempting or because bad guys are 
actually fairly rare. 


135. Rigormortis Maxim: The greater the amount of rigor claimed or implied for a given 
security analysis, vulnerability assessment, risk management exercise, or security design, 
the less careful, clever, critical, imaginative, and realistic thought has gone into it. 


136. Catastrophic Maxim: Most organizations mistakenly think about and prepare for 
rare, catastrophic attacks (if they do so at all) in the same way as for minor security 
incidents. 


137.1 am Spartacus Maxim: Most vulnerability or risk assessments will let the good guys 
(and the existing security infrastructure, hardware, and strategies) define the problem, in 
contrast to real-world security applications where the bad guys get to. Comment: Named 
for the catch-phrase from the 1960 Stanley Kubrick film Spartacus. When the Romans 
captured Spartacus’ army, they demanded he identify himself, but all his soldiers claimed 
to be Spartacus. Not historically accurate, but very Hollywood! 


138. Methodist Maxim: While vulnerabilities determine the methods of attack, most 
vulnerability or risk assessments will act as if the reverse were true. 


139. Tucker's Maxim #1 (Early Bird & Worm Maxim): An adversary is most vulnerable 
to detection and disruption just prior to an attack. Comment: So seize the initiative in the 
adversary's planning stages. From Craig Tucker. 


140. Tucker's Maxim #2 (Toss the Dice Maxim): When the bullets start flying, it's a 
crapshoot and nobody can be sure how it'll turn out. Comment: So don't let it get to that 
point. From Craig Tucker. 


141. Tucker's Maxim #3 (Failure = Success Maxim): If you're not failing when you're 
training or testing your security, you're not learning anything. Comment: From Craig 
Tucker. 


142. Gunslingers’ Maxim: Any government security program will mistakenly focus more 


on dealing with force-on-force attacks and brute force methods than on more likely attacks 
involving insider threats and subtle, surreptitious approaches. 
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143. We Built This Door for You: The security of most facilities will be based on the 
wrong idea that the bad guys will use the existing doors, stairs, and hallways to execute an 
attack. Comment: And security sensors, video cameras, and guards will be dangerously 
misplaced as a result. 


144. Fool-On-Fool Maxim: The incompetence of any security program is proportional to 
the degree of obsession with idea that the major threat is a small band of stupid, 
unprepared adversaries who mindlessly attack straight on, using force and zero insiders. 
Comment: Somehow, the number of envisioned attackers is always less than the number 
the security program can purportedly neutralize. 


*145. 3D Maxim: The incompetence of any security program is proportional to how 
strongly the mantra of “Deter, Detect, Delay” is embraced. Comment: This philosophy, 
while theoretically having some merit, is (as a practical matter) strongly correlated with 
unimaginative, non-proactive security. 


146. D(OU)BT Maxim: If you think Design Basis Threat (DBT) is something to test your 
security against, then you don’t understand DBT and you don’t understand your security 
application. Comment: If done properly—which it often is not—DBT is for purposes of 
allocating security resources based on probabilistic analyses, not judging security 
effectiveness. Moreover, if the threat probabilities in the DBT analysis are all essentially 1, 
the analysis is deeply flawed. 


147. It’s Too Quiet Maxim: “Bad guys attack, and good guys react” is not a viable security 
strategy. Comment: It is necessary to be both proactive in defense, and to preemptively 
undermine the bad guys in offense. 


148. Executive Protection / Peter Principle / Power Corrupts Maxim: Money spent on 
protecting high-level executives is wasted, as the organization would be much better off 
without the arrogant, narcissistic, misogynistic morons. 


149. Nietzsche’s Maxim: It’s not winning if the good guys have to adopt the 
unenlightened, illegal, or morally reprehensible tactics of the bad guys. Comment: 
"Whoever fights monsters should see to it that in the process he does not become a 
monster.” Friedrich Nietzsche (1844-1900), Beyond Good and Evil. 


*150. Patton’s Maxim: When everybody is thinking alike about security, then nobody is 
thinking. Comment: Adapted from a broader maxim by General George S. Patton (1885- 
1945). 


151. Kafka’s Maxim: The people who write security rules and regulations don’t 


understand (1) what they are doing, or (2) how their policies drive actual security 
behaviors and misbehaviors. 
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*152. 30% Maxim: In any large organization, at least 30% of the security rules, policies, 
and procedures are pointless, absurd, ineffective, naive, out of date, wasteful, distracting, or 
one-size-fits-all nonsense, or they may even actively undermine security (by creating 
cynicism about security, ignoring local conditions, or driving bad behaviors that were not 
anticipated). 


153. The Politics Maxim: All security is local. Comment: Security depends on the local, 
on-the-ground conditions, not on high-level idealized plans for security. Comment: Just 
like all politics is local, all security is local. The on-the-ground details matter. 


154. By the Book Maxim: Full compliance with security rules and regulations is not 
compatible with optimal security. Comment: Because security rules and regulations are 
typically dumb and unrealistic (at least partially). Moreover, they often lead to over- 
confidence, waste time and resources, create unhelpful distractions, engender cynicism 
about security, and encourage employees to find workarounds to get their job done—thus 
making security an “us vs. them” game. 


*155. Pink Teaming Maxim: Most so-called “vulnerability assessments” are actually 
threat assessments, compliance auditing, “Red Teaming”, penetration testing, or some 
other exercise (like security surveys, safety analysis, feature analysis, design basis threat, 
or performance/reliability testing) not well designed to uncover a wide range of security 
vulnerabilities. Comment: This is much more the case in physical security than in cyber 
security. Originally, “Red Teaming” meant doing a vulnerability assessment, but it recent 
years, it has come to mean a one-off, often rigged “test” of a particular, narrowly-defined 
attack scenario. This may have some value, but is not the same thing as a comprehensive 
vulnerability assessment looking at a wide range of vulnerabilities and attack scenarios. 
(For compliance auditing, it is important to remember the 30% Maxim. See above.) 


*156. It’s About More Than Semantics Maxim: Organizations and security managers 
that misuse (or don’t use at all) the terms “vulnerabilities” or “vulnerability assessments” 
don’t do vulnerability assessments. Comment: While semantics aren’t very interesting, 
language does affect thinking. 


*157. Aw Ditz Maxim: Mindlessly auditing if bureaucratic security rules are being 
followed will usually get confused with a meaningful security review, or a vulnerability 
assessment. Comment: Compliance-based security doesn’t really work. See the 30% 
Maxim above. 


158. Seeing Red Maxim: “Red Teaming” or penetration testing will usually get confused 
with a comprehensive security review, or a vulnerability assessment. 


159. Rig the Rig Maxim: Any supposedly “realistic” test of security is rigged. 
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160. Cyborg Maxim: Organizations and managers who automatically think “cyber”, “IT”, 
“network”, or “computer” when somebody says “security”, don’t have good security 
(including good cyber security). 


161. Caffeine Maxim: On a day-to-day basis, security is mostly about paying attention. 
162. Any Donuts Left? Maxim: But paying attention is very difficult. 


163. Wolfe’s Maxim: If you don’t find it often, you often don’t find it. Comment: 
Perceptual blindness is a huge problem for security officers. 


*164. Uncomfortable Truth Maxim: You can be comfortable or you can have good 
security, but you cannot have both. 


165. He Who’s Name Must Never Be Spoken Maxim: Security programs and 
professionals who don’t talk a lot about “the adversary” or the “bad guys” aren’t prepared 
for them and don’t have good security. Comment: From Harry Potter. 


*166. Mahbubani’s Maxim: Organizations and security managers who cannot envision 
security failures, will not be able to avoid them. Comment: Named for scholar and 
diplomat Kishore Mahbubani. He meant to apply this general principle to politics, 
diplomacy, and public policy, but it is also applicable to security. 


*167. Pen Testing Maxim: You can’t test an attack you haven’t envisioned. Comment: 
Thus the importance of vulnerability assessments (not activities that get confused with 
vulnerability assessments). 


168. Hats & Sunglasses Off in the Bank Maxim: Security rules that only the good guys 
follow are probably Security Theater. 


169. Merton’s Maxim: The bad guys don’t obey our security policies. Comment: This 
maxim is courtesy of Kevin Sweere. It is named after Thomas Merton (1915-1968), a 
theological writer and philosopher. 


170. Sweere’s Maxim (Merton’s Corollary): It’s worse than that. The bad guys will 
analyze our security policies and regulations to find exploitable vulnerabilities, including 
those not envisioned by the good guys. 


171. Wall Street Maxim: Every good idea is eventually a bad idea. 


172. Dumbestic Safeguards Maxim: Domestic Nuclear Safeguards will inevitably get 
confused with International Nuclear Safeguards (treaty monitoring), including by people 
and organizations claiming to fully appreciate that the two applications are very different. 
Comment: Domestic Nuclear Safeguards is a typical security application, just for very 
important assets. With International Nuclear Safeguards, in contrast, the bad guys own the 


49 


Journal of Physical Security 12(2), 32-52 (2019) 


assets and facilities of interest, and they fully understand the surveillance, monitoring, and 
safeguards equipment being used (and may even build, control, and/or install it). It is 
especially common to overlook or ignore the fact that the adversary in International 
Nuclear Safeguards is a country, with national- to world-class resources available to defeat 
the safeguards. [Note: It’s sometimes misleading called “International Nuclear Safeguards” 
when one country or organization, or group of countries try to help a nation improve its 
own domestic nuclear safeguards, but this is still just Domestic Nuclear Safeguards for the 
country of interest.] 


173. Werther’s Maxim: The security of encrypted (or digitally authenticated) information 
has less to do with the sophistication of the cipher than with the competence, intelligence, 
diligence, and loyalty of the people who handle it. Comment: From a quote by Waldemar 
Werther that “The security of a cipher lies less with the cleverness of the inventor than 
with the stupidity of the men who are using it.” 


174. Tobias’s Maxim #5: Encryption is largely irrelevant. Comment: From Marc Weber 
Tobias. 


175. Red Herring Maxim: At some point in any challenging security application, 
somebody (or nearly everybody) will propose or deploy more or less pointless encryption, 
hashes, or data authentication along with the often incorrect and largely irrelevant 
statement that “the cipher [or hash or authentication algorithm] cannot be broken”. 

Comment: For many security applications, people forget that “it’s no more difficult to 
copy encrypted data than it is to copy unencrypted data.” 

Product anti-counterfeiting tags and International Nuclear Safeguards are two security 
applications highly susceptible to fuzzy thinking about encryption and data authentication. 

With anti-counterfeiting tags, it is no harder for the product counterfeiters to make 
copies of encrypted data than it is to make copies of unencrypted data. They don’t have to 
understand the encryption scheme or the encrypted data to copy it, so that the degree of 
difficulty in breaking the encryption (usually overstated) is irrelevant. Indeed, if there was 
a technology that could preventing cloning of encrypted data (or hashes or digital 
authentication), then that same technology could be used to prevent cloning of the 
unencrypted original data, in which case the encryption has no significant role to play. 
(Sometimes one might wish to send secure information to counterfeit hunters in the field, 
but the security features and encryption typically employed on cell phones or computers is 
good enough.) 

What makes no sense is putting encrypted data on a product, with or without it including 
encrypted data about an attached anti-counterfeiting tag; the bad guys can easily clone the 
encrypted data without having to understand it. When there is an anti-counterfeiting tag 
on a product, only the degree of difficulty of cloning it is relevant, not the encryption 
scheme. The use of unique, one-of-a-kind tags (i.e., complexity tags) does not alter the 
relative unimportance of the encryption as an anti-counterfeiting measure. 

Sometimes people promoting encryption for product anti-counterfeiting vaguely have in 
mind an overly complicated (and usually incomplete/flawed) form of a virtual numeric 
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token (“call-back strategy”). ({[See RG Johnston, “An Anti-Counterfeiting Strategy Using 
Numeric Tokens”, International Journal of Pharmaceutical Medicine 19, 163-171 (2005). | 

Encryption is also often thought of as a silver bullet for International Nuclear Safeguards, 
partially for reasons given in the Dumbestic Safeguards Maxim. The fact is that encryption 
or data authentication is of little security value if the adversary can easily break into the 
equipment holding the secret key without detection (as is usually the case), if there is a 
serious insider threat that puts the secret encryption key at risk (which is pretty much 
always the case), and/or if the surveillance or monitoring equipment containing the secret 
key is designed, controlled, inspected, maintained, stored, observed, or operated by the 
adversary (as is typically the case in International Nuclear Safeguards). 


176. Anti-Silver Bullet Maxim: If you have poor security before you deploy encryption or 
data authentication, you will have poor security after. Comment: Sometimes, you’ll have 
worse security because the encryption/authentication provides a false sense of security, or 
causes distractions. 


177. It’s Standard Maxim: As a general rule of thumb, about two-thirds of security 
“standards” or “certifications” (though not “guidelines”) make security worse. 


178. Alice Springs Maxim: Organizations will be loathe to factor in local, on-the-ground 
details in deciding what security resources to assign to a given location or asset. One-size- 
fits-all will be greatly preferred because it requires less thinking. 

Comment: This maxim is named after the standard reassurance given to worried tourists 
in Australia that “there aren’t a lot of shark attacks in Alice Springs”. 


179. Follow the Money Maxim: Security attention and resources will usually be doled out 
in proportion to the absolute dollar value of the assets being protected, not (as it should be) 
in proportion to the risk. 


180. Oh, the Lovely Colors! Maxim: High-level corporate executives will be convinced the 
organization has good security if they are shown lots of detailed, colorful graphs, 
spreadsheets, and calendars concerning security policies, planning, documentation, and 
training. 


181. The MBA Maxim: At high levels in an organization, lots of detailed work on security 
policies, planning, documentation, scheduling, and charts/graphs/spreadsheets will be 
preferred over actually thinking carefully and critically about security, or asking critical 
questions. 


182. Fallacy of Precision Maxim 1: If security managers or bureaucrats assign a number 
or a ranking to some aspect of security (e.g., probability of attack, economic consequences 
of the loss of an asset, etc.) they will incorrectly think they really understand that aspect 
and the related security issues. 


183. Fallacy of Precision Maxim 2: If there are n bits in the attribute measurement of a 
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given object, then security end users can be easily (wrongly) convinced that 2 is: (1) the 
probability that a similar object matches this one, and/or (2) the probability that somebody 
can fool the attribute reader, including by "counterfeiting" or mimicking the object so that 
it has essentially the same attribute measurement. Comment: End users of security 
products (especially biometrics or tag readers) will often be fooled by this fallacy. Why is it 
a fallacy? Among other reasons: Because the bits are not uncorrelated, because they don’t 
all have relevance to the security or authenticity problem (maybe none of them do!), 
because the degree of correlation between similar objects has not been inputted into the 
problem, because the type 1 and type 2 errors and tradeoffs haven’t been carefully 
measured or analyzed, because the ease or difficulty of counterfeiting involves many 
outside factors not included here, and because the ease or difficulty of otherwise spoofing 
the reader has not been considered. 


*184. Apples and Oranges Maxim: Anyone trying to sell you a counterfeit detector, will 
make a big show of how different objects have different signatures (attribute 
measurements), but will ignore, oversimplify, or misrepresent the far more important 
question of how hard it is to fool the reader, including by "counterfeiting" or mimicking the 
object so that it has essentially the same signature. Comment: Manufacturers, vendors, 
and promoters of biometrics products and tag readers are very fond of doing this. 


185. I Second That Motion Maxim: “Security by Committee” is an oxymoron. 

186. Nuke that Idea Maxim: Nuclear Security/Safeguards is an oxymoron. 

187. Security By Design Maxim: Most security products, facilities, or programs that were 
designed using so-called “security by design” methods don’t actually have much security in 
them, but at least the word “security” came up early in discussions. 

188. Lunkhead Maxim: Lunkheads will be attracted to security management and security 
supervisory roles, including because their ignorance and incompetence will only be 


occasionally noted. 


189. Fox in the Hen House Maxim: The people selling, installing, and maintaining your 
security systems are not trustworthy. 


190. Any Questions? Maxim: The profundity and novelty of a given security talk is 
inversely proportional to how many questions are asked by the audience. 


191. But Wait! Maxim: Any given security talk is a sales pitch. 
192. Let’s Get Physical Security: Physical Security is more difficult than Cyber Security 
(though Cyber Security is plenty hard.) Comment: Cyber Security involves protecting 1’s 


and 0’s. Physical security often involves protecting many tangible and intangible assets 
spread out in time and space, with many possible attack scenarios. 
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193. Reality TV Maxim: Video surveillance does not prevent crime (though it may be 
useful for documenting crime). 
194. Hi Mom! Maxim: When officials release a photo or video recording of a crime, asking 
if the public recognizes the perpetrator(s), the image quality will be so poor that you 


couldn’t recognize your own mother. Comment: Nowadays, it is malpractice not to have 
full resolution HD video images and video recording given the relatively low cost. 


The following are general “laws” and “principles” that also apply to security: 


195. Grey’s/Schryver’s Law: Any sufficiently advanced incompetence is indistinguishable 
from malice. Comment: Security incompetence is very much an insider threat. 


196. Fudd’s Law: If you push on something hard enough, it will fall over. 


197. First Law of Revision: Information necessitating a change of design will be conveyed 
to the designers after—and only after—the plans are complete. 


198. Hellrung’s Law: If you wait long enough, it will go away. 
199. Grelb’s Law: But if it was bad, it will come back. 


200. Brien’s First Law: At some time in the life cycle of virtually every organization, its 
ability to succeed in spite of itself runs out. 


201. Bucy’s Law: Nothing is ever accomplished by a reasonable person. 
202. Stewart's Law: It is easier to get forgiveness than permission. 
203. Horngren’s Law: The Real World is a special case. 

204. Glazer’s Law: If it’s “one size fits all”, then it doesn’t fit anybody. 
205. Gold’s Law: If the shoe fits, it’s ugly. 

206. Firestone’s Law: Chicken Little only has to be right once. 


207. Shaw’s Law: Build a system that even a fool can use, and only a fool will want to use 
it. 


208. Byrne’s Law: In any electrical circuit, appliances and wiring will burn out to protect 
the fuses. 
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209. Ginsberg’s Laws from the beat poet Allen Ginsberg (1926-1997): 
The First Law of Thermodynamics: "You can't win." 

The Second Law of Thermodynamics: "You can't break even." 

The Third Law of Thermodynamics: "You can't quit." 


210. Putt’s Law: Technology is dominated by two types of people: those who understand 
what they do not manage, and those who manage what they do not understand. 


211. Clarke's First Law: When a distinguished but elderly scientist states that something 
is possible, he is almost certainly right. When he states that something is impossible, he is 
probably wrong. 


212. Hawkin’s Law: Progress does not consist of replacing a theory that is wrong with 
one that is right. It consists of replacing a theory that is wrong with one that is more subtly 
wrong. 


213. Dunning-Kruger Effect: Incompetent people don’t recognize that they are 
incompetent. 


214. Sallinger’s Law: All morons hate it when you call them a moron. Comment: From 
J.D. Sallinger (1919-2010). 


215. Kernighan's Law: Debugging is twice as hard as writing the software in the first 
place. Therefore, if you write the software as cleverly as possible, you are (by definition) 
not smart enough to debug it. 


216. Life Cycle of a Good Idea Law: If you have a good idea: first they ignore you, then 
they ridicule you, then they claim to have thought of it first, then it's declared to be obvious. 


217. Not Invented Here Law: If it wasn't invented here, it's a bad idea (unless we can 
steal the idea and make it look like we thought of it first). 


218. Glass Houses Law: The people most obsessed with the work quality of others will 
typically be among the most incompetent, deadwood screw-ups in the whole organization. 


*219. Tacitus’s Law: To show resentment at a reproach is to acknowledge that one may 
have deserved it. Comment: From Tacitus (55-117 AD). 


220. Peter Principle: In a hierarchy, every employee tends to rise to their level of 
incompetence. Comment: From Laurence J. Peter and his 1968 book, The Peter Principle. 
The idea is that employees who do a good job get promoted until they reach a level where 
they don’t do a good job and don’t get further promoted. Employees are loath to turn down 
a promotion even when they realize they are unqualified for it. 
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221. Peter Principle Corollary: Given enough time, any organization will be dominated 
by incompetent employees. 


222. Orwell’s Principle: Being sloppy with security terminology leads to sloppy security 
thinking and practice. Comment: From this quote by George Orwell (1903-1950): “The 
slovenliness of our language makes it easier for us to have foolish thoughts.” A common 
example is confusing (or hijacking) the meaning of “vulnerabilities” and “vulnerability 
assessments” so that effective thinking about vulnerabilities is difficult to do. 
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